Edit tour

Windows Analysis Report
Tt843YGUx5.exe

Overview

General Information

Sample name:	Tt843YGUx5.exe renamed because original name is a hash value
Original sample name:	0d6bbe5907ca581fec7c452793aa1257.exe
Analysis ID:	1610406
MD5:	0d6bbe5907ca581fec7c452793aa1257
SHA1:	103b6e60ec864afc723f9fd0f8c29f91a0fcc4c7
SHA256:	a1734a3cebd107003588c3b860dd235827515439325aa5bd07dbe3e798cd2e48
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	80
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to register a low level keyboard hook

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Obfuscated command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Tt843YGUx5.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\Tt843YGUx5.exe" MD5: 0D6BBE5907CA581FEC7C452793AA1257)

cmd.exe (PID: 7368 cmdline: "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7420 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7436 cmdline: findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Inebriarti.exe.com (PID: 7452 cmdline: Inebriarti.exe.com A MD5: C56B5F0201A3B3DE53E561FE76912BFD)

Inebriarti.exe.com (PID: 7496 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com A MD5: C56B5F0201A3B3DE53E561FE76912BFD)

findstr.exe (PID: 7464 cmdline: findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Bonta.exe.com (PID: 7484 cmdline: Bonta.exe.com m MD5: C56B5F0201A3B3DE53E561FE76912BFD)

Bonta.exe.com (PID: 7532 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com m MD5: C56B5F0201A3B3DE53E561FE76912BFD)

findstr.exe (PID: 7508 cmdline: findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Pensiero.exe.com (PID: 7540 cmdline: Pensiero.exe.com E MD5: C56B5F0201A3B3DE53E561FE76912BFD)

Pensiero.exe.com (PID: 7624 cmdline: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com E MD5: C56B5F0201A3B3DE53E561FE76912BFD)

PING.EXE (PID: 7568 cmdline: ping 127.0.0.1 -n 30 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Tt843YGUx5.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Tt843YGUx5.exe	Virustotal: Detection: 56%			Perma Link
Source: Tt843YGUx5.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.2% probability

Source: Tt843YGUx5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00409054 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409054
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00403186 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403186
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00402A8E FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402A8E
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00402B9F FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402B9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6494A GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00D6494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00D64005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00D6C2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_00D6CD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6CD14 FindFirstFileW,FindClose,	5_2_00D6CD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D6F5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D6F735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00D6FA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00D63CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F494A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_005F494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_005F4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	7_2_005FC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FCD14 FindFirstFileW,FindClose,	7_2_005FCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	7_2_005FCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_005FF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_005FF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	7_2_005FFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_005F3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_008A494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_008A4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_008AC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_008ACD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008ACD14 FindFirstFileW,FindClose,	11_2_008ACD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_008AF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_008AF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_008AFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_008A3CE2

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

Source: unknown	DNS traffic detected: query: OreSqbuLLIH.OreSqbuLLIH replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: NiXfPuxauHolCHyB.NiXfPuxauHolCHyB replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: OEEMOUIIEJHDT.OEEMOUIIEJHDT replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D729BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

5_2_00D729BA

Source: global traffic	DNS traffic detected: DNS query: OEEMOUIIEJHDT.OEEMOUIIEJHDT
Source: global traffic	DNS traffic detected: DNS query: NiXfPuxauHolCHyB.NiXfPuxauHolCHyB
Source: global traffic	DNS traffic detected: DNS query: OreSqbuLLIH.OreSqbuLLIH

Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000002.1722181819.0000000000DC9000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 00000007.00000002.1702099669.0000000000659000.00000002.00000001.01000000.00000006.sdmp, Inebriarti.exe.com, 00000008.00000000.1673480225.0000000000DC9000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 0000000A.00000000.1674856331.0000000000659000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_004083CB SetWindowsHookExW 00000002,Function_0000839D,00000000,00000000

0_2_004083CB

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D74632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00D74632

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D74830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00D74830
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00604830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	7_2_00604830
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008B4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	11_2_008B4830

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

5_2_00D74632

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D60508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

5_2_00D60508

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D8D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	5_2_00D8D164
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_0061D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	7_2_0061D164
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008CD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	11_2_008CD164

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D642D5: CreateFileW,DeviceIoControl,CloseHandle,

5_2_00D642D5

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D58F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00D58F2E

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D65778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_00D65778
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	7_2_005F5778
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	11_2_008A5778

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00405420	0_2_00405420
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_0040A840	0_2_0040A840
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00413821	0_2_00413821
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_004189E1	0_2_004189E1
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_0040A1A0	0_2_0040A1A0
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00418200	0_2_00418200
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_0040EA30	0_2_0040EA30
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00418ABB	0_2_00418ABB
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00409B50	0_2_00409B50
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_0040BB80	0_2_0040BB80
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00418D53	0_2_00418D53
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00409D00	0_2_00409D00
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_0040AF00	0_2_0040AF00
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_0040AF04	0_2_0040AF04
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D0B020	5_2_00D0B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D094E0	5_2_00D094E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D09C80	5_2_00D09C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D223F5	5_2_00D223F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D88400	5_2_00D88400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D36502	5_2_00D36502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D0E6F0	5_2_00D0E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D3265E	5_2_00D3265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2282A	5_2_00D2282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D389BF	5_2_00D389BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D36A74	5_2_00D36A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D80A3A	5_2_00D80A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D10BE0	5_2_00D10BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D5EDB2	5_2_00D5EDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2CD51	5_2_00D2CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D80EB7	5_2_00D80EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D68E44	5_2_00D68E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D36FE6	5_2_00D36FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D233B7	5_2_00D233B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D1D45D	5_2_00D1D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2F409	5_2_00D2F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D216B4	5_2_00D216B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D0F6A0	5_2_00D0F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D01663	5_2_00D01663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D1F628	5_2_00D1F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D278C3	5_2_00D278C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2DBA5	5_2_00D2DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D21BA8	5_2_00D21BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D39CE5	5_2_00D39CE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D1DD28	5_2_00D1DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2BFD6	5_2_00D2BFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D21FC0	5_2_00D21FC0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_0059B020	7_2_0059B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005994E0	7_2_005994E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00599C80	7_2_00599C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B23F5	7_2_005B23F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00618400	7_2_00618400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005C6502	7_2_005C6502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005C265E	7_2_005C265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_0059E6F0	7_2_0059E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B282A	7_2_005B282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005C89BF	7_2_005C89BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005C6A74	7_2_005C6A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00610A3A	7_2_00610A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005A0BE0	7_2_005A0BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BCD51	7_2_005BCD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005EEDB2	7_2_005EEDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F8E44	7_2_005F8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00610EB7	7_2_00610EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005C6FE6	7_2_005C6FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B33B7	7_2_005B33B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005AD45D	7_2_005AD45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BF409	7_2_005BF409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00591663	7_2_00591663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005AF628	7_2_005AF628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B16B4	7_2_005B16B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_0059F6A0	7_2_0059F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B78C3	7_2_005B78C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B1BA8	7_2_005B1BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BDBA5	7_2_005BDBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005C9CE5	7_2_005C9CE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005ADD28	7_2_005ADD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BBFD6	7_2_005BBFD6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B1FC0	7_2_005B1FC0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0084B020	11_2_0084B020
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008494E0	11_2_008494E0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00849C80	11_2_00849C80
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008623F5	11_2_008623F5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008C8400	11_2_008C8400
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00876502	11_2_00876502
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0084E6F0	11_2_0084E6F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0087265E	11_2_0087265E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086282A	11_2_0086282A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008789BF	11_2_008789BF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008C0A3A	11_2_008C0A3A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00876A74	11_2_00876A74
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00850BE0	11_2_00850BE0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0089EDB2	11_2_0089EDB2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086CD51	11_2_0086CD51
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008C0EB7	11_2_008C0EB7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A8E44	11_2_008A8E44
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00876FE6	11_2_00876FE6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008633B7	11_2_008633B7
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086F409	11_2_0086F409
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0085D45D	11_2_0085D45D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0084F6A0	11_2_0084F6A0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008616B4	11_2_008616B4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0085F628	11_2_0085F628
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00841663	11_2_00841663
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008678C3	11_2_008678C3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086DBA5	11_2_0086DBA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00861BA8	11_2_00861BA8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00879CE5	11_2_00879CE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0085DD28	11_2_0085DD28
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00861FC0	11_2_00861FC0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086BFD6	11_2_0086BFD6

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: String function: 005A1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: String function: 005B8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: String function: 005B0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: String function: 00D28B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: String function: 00D11A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: String function: 00D20D17 appears 70 times
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: String function: 0040346A appears 45 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: String function: 00860D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: String function: 00868B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: String function: 00851A36 appears 34 times

Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs Tt843YGUx5.exe

Source: Tt843YGUx5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@26/14@3/1

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_00408E97 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00408E97

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D58DE9 AdjustTokenPrivileges,CloseHandle,	5_2_00D58DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D59399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	5_2_00D59399
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005E8DE9 AdjustTokenPrivileges,CloseHandle,	7_2_005E8DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005E9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	7_2_005E9399
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00898DE9 AdjustTokenPrivileges,CloseHandle,	11_2_00898DE9
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00899399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_00899399

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_00401268 GetDiskFreeSpaceExW,SendMessageW,

0_2_00401268

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D64148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00D64148

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_00408906 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_00408906

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_0040220D GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_0040220D

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000

Jump to behavior

Source: Tt843YGUx5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Tt843YGUx5.exe	Virustotal: Detection: 56%
Source: Tt843YGUx5.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

File read: C:\Users\user\Desktop\Tt843YGUx5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Tt843YGUx5.exe "C:\Users\user\Desktop\Tt843YGUx5.exe"
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com Inebriarti.exe.com A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com Bonta.exe.com m
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com Pensiero.exe.com E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com E
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com Inebriarti.exe.com A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com Bonta.exe.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com Pensiero.exe.com E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com m	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com E	Jump to behavior

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Section loaded: rasadhlp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Tt843YGUx5.exe

Static file information: File size 9326758 > 1048576

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_0040760A LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_0040760A

Source: Tt843YGUx5.exe

Static PE information: real checksum: 0xf0b0e should be: 0x8e8212

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7F5C pushfd ; ret	0_3_024C7FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7F5C pushfd ; ret	0_3_024C7FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7D9F push ds; retf	0_3_024C7DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7D9F push ds; retf	0_3_024C7DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C8090 push ecx; retf 0015h	0_3_024C8094
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C8090 push ecx; retf 0015h	0_3_024C8094
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7F5C pushfd ; ret	0_3_024C7FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7F5C pushfd ; ret	0_3_024C7FBC
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7D9F push ds; retf	0_3_024C7DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C7D9F push ds; retf	0_3_024C7DA5
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C8090 push ecx; retf 0015h	0_3_024C8094
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_3_024C8090 push ecx; retf 0015h	0_3_024C8094
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00418690 push eax; ret	0_2_004186BE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2E93F push edi; ret	5_2_00D2E941
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2EA58 push esi; ret	5_2_00D2EA5A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D68A4A push FFFFFF8Bh; iretd	5_2_00D68A4C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D1CBDB push eax; retf	5_2_00D1CBF8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D28B75 push ecx; ret	5_2_00D28B88
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2EC33 push esi; ret	5_2_00D2EC35
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2ED1C push edi; ret	5_2_00D2ED1E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BE93F push edi; ret	7_2_005BE941
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BEA58 push esi; ret	7_2_005BEA5A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F8A4A push FFFFFF8Bh; iretd	7_2_005F8A4C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005B8B75 push ecx; ret	7_2_005B8B88
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005ACBF1 push eax; retf	7_2_005ACBF8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BEC33 push esi; ret	7_2_005BEC35
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BED1C push edi; ret	7_2_005BED1E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086E93F push edi; ret	11_2_0086E941
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A8A4A push FFFFFF8Bh; iretd	11_2_008A8A4C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086EA58 push esi; ret	11_2_0086EA5A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00868B75 push ecx; ret	11_2_00868B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	5_2_00D859B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D15EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	5_2_00D15EDA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_006159B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	7_2_006159B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	7_2_005A5EDA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008C59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_008C59B3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_00855EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_00855EDA

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D233B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00D233B7

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	API coverage: 4.2 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00409054 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409054
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00403186 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00403186
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00402A8E FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402A8E
Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Code function: 0_2_00402B9F FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00402B9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6494A GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00D6494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00D64005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00D6C2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_00D6CD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6CD14 FindFirstFileW,FindClose,	5_2_00D6CD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D6F5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D6F735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	5_2_00D6FA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00D63CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F494A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_005F494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_005F4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	7_2_005FC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FCD14 FindFirstFileW,FindClose,	7_2_005FCD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	7_2_005FCD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_005FF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_005FF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	7_2_005FFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_005F3CE2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_008A494A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_008A4005
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_008AC2FF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_008ACD9F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008ACD14 FindFirstFileW,FindClose,	11_2_008ACD14
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_008AF5D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_008AF735
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_008AFA36
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_008A3CE2

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D15D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00D15D13

Source: Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = $FtFgHgfSLDQHNz + 1=
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692965308.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1691680402.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692718915.0000000001B66000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693946637.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1680075930.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692137637.0000000001B4F000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693241062.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000008.00000002.3531569353.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $puvSDtqYrsfhEL = 'RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUc'
Source: Inebriarti.exe.com, 00000005.00000003.1701733792.0000000004655000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUcG
Source: Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = $FtFgHgfSLDQHNz + 1A
Source: Bonta.exe.com, 0000000A.00000002.3533267635.0000000003EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VNswdqkJHGRvmueigEoCbcbzzRZsYHefjSEKYHhxeqEMuIKbJG
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1680075930.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $mUnGEjvcQyyHiw = Execute(rETgxIUQ("88#121#119#110#115#108#78#120#75#113#116#102#121#45#44#111#109#115#90#105#88#108#103#112#89#114#70#106#103#44#46",5)), $oMLzKVgHrLiAtG = 'kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF'
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1693025789.0000000001411000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 0000000A.00000002.3531052690.00000000014DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $VdwHnUJpYBHGiro = Execute(GKHRXxdEq("92_125_123_114_119_112_82_124_79_117_120_106_125_49_48_77_88_78_126_116_116_131_76_92_48_50",9)), $XDDiCUzGlnMH = 'ImcUYqPiljrtfCXuiybhGfsGnP'
Source: Inebriarti.exe.com, 00000008.00000002.3532822784.000000000414A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF10#102#113#45
Source: Inebriarti.exe.com, 00000005.00000003.1701733792.0000000004655000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000008.00000002.3533628498.0000000004463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK
Source: Bonta.exe.com, 00000007.00000003.1695624391.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1695897223.00000000039C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ImcUYqPiljrtfCXuiybhGfsGnPvxGBdPPnzWJUxsFDLlSNrVKnaTijmL
Source: Inebriarti.exe.com, 00000005.00000003.1700695130.00000000047C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LDMFBZXYYDKLENPNZTQEMUSNJAKRRSOYSINESZUWMDFQUUCTLKIZVBH^
Source: Tt843YGUx5.exe, 00000000.00000003.1666277080.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp, Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp, Pensiero.exe.com, 0000000B.00000003.1699394881.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $VjItThBcFgJSTh = Execute(ekrSXFezU("71#117#108#121#104#74#104#119#86#104#117#108#100#111#43#42#92#122#80#120#74#102#88#111#93#42#44",3)), $LHtIufRxUd = 'rAAViyZFlUnFeoHWSZCenyXOWRCUyyhgfSUBjlm'
Source: Inebriarti.exe.com, 00000005.00000003.1692965308.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1691680402.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692718915.0000000001B66000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693946637.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1680075930.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692137637.0000000001B4F000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1694222280.0000000001C06000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693241062.0000000001B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $xTAygaMnGSysza = 'UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK'r+
Source: Inebriarti.exe.com, 00000008.00000002.3531569353.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $xTAygaMnGSysza = 'UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK''@
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1691571665.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1689996334.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1690692557.000000000132A000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1692063083.000000000138C000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1692460284.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1693445024.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1688117940.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1691502189.0000000001346000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1690777147.000000000133A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $DxgKjzXtlDLONYMZ = 'VNswdqkJHGRvmueigEoCbcbzzRZsYHefjSEKYHhxeqEMuIKbJG'
Source: Inebriarti.exe.com, 00000008.00000002.3535027668.0000000004A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFhIV
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1694655066.0000000001C1A000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1695215897.0000000001C4E000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692965308.0000000001B6F000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1691680402.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692718915.0000000001B66000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1695971445.0000000001C52000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1693946637.0000000001BED000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1680075930.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1692137637.0000000001B4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: For $lDMfBZXyYdklEnPNzTqemusNJakRrSoysInesZUWmdfquUcTLKIzvBh = 18 To 39
Source: Inebriarti.exe.com, 00000008.00000002.3533628498.0000000004463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RPPoXblPCCcjAMnWzIKfyWHmssVRhgFSwWmgXhfRYsTdoRmjEcVFUcN
Source: Tt843YGUx5.exe, 00000000.00000003.1666277080.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp, Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = $FtFgHgfSLDQHNz + 1
Source: Bonta.exe.com, 0000000A.00000002.3533799202.0000000004103000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = $FtFgHgfSLDQHNz + 1`
Source: Inebriarti.exe.com, 00000008.00000002.3534018742.00000000045E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LDMFBZXYYDKLENPNZTQEMUSNJAKRRSOYSINESZUWMDFQUUCTLKIZVBH#n
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Switch $FtFgHgfSLDQHNz
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000002C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $xTAygaMnGSysza = 'UGEkkLaFjAXjVGXLQawHGZdbjwhEqMURhOrQFTVBwhgFsuRRJifZsK'
Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.000000000310F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = 195
Source: Inebriarti.exe.com, 00000005.00000003.1705813854.000000000438B000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1706025656.000000000438B000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000003.1704634138.000000000438B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF02#121#45#44#
Source: Inebriarti.exe.com, 00000008.00000002.3531188326.0000000001720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local $mUnGEjvcQyyHiw = Execute(rETgxIUQ("88#121#119#110#115#108#78#120#75#113#116#102#121#45#44#111#109#115#90#105#88#108#103#112#89#114#70#106#103#44#46",5)), $oMLzKVgHrLiAtG = 'kImZXeDRqjFLvNVshxWmCEEFWYFxpoalRvHQqemUF'PY
Source: Bonta.exe.com, 00000007.00000003.1695528982.0000000003A5D000.00000004.00000020.00020000.00000000.sdmp, Bonta.exe.com, 00000007.00000003.1695402603.0000000003A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VNswdqkJHGRvmueigEoCbcbzzRZsYHefjSEKYHhxeqEMuIKbJGpaIn
Source: Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = $FtFgHgfSLDQHNz + 1&
Source: Bonta.exe.com, 0000000A.00000002.3532962197.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ImcUYqPiljrtfCXuiybhGfsGnP
Source: Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FtFgHgfSLDQHNz = 195qPv
Source: Tt843YGUx5.exe, 00000000.00000002.2061339840.0000000000728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: Pensiero.exe.com, 0000000B.00000003.1698834848.00000000019CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Switch $FtFgHgfSLDQHNzI

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D745D5 BlockInput,

5_2_00D745D5

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D15240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00D15240

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D35CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_00D35CAC

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_0040760A LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_0040760A

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_00D588CD

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00D2A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D2A354 SetUnhandledExceptionFilter,	5_2_00D2A354
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BA354 SetUnhandledExceptionFilter,	7_2_005BA354
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_005BA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_005BA385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0086A385
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_0086A354 SetUnhandledExceptionFilter,	11_2_0086A354

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D59369 LogonUserW,

5_2_00D59369

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D15240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00D15240

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D61AC6 SendInput,keybd_event,

5_2_00D61AC6

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D651E2 mouse_event,

5_2_00D651E2

Source: C:\Users\user\Desktop\Tt843YGUx5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Seminato.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com Inebriarti.exe.com A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com Bonta.exe.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R "^jFsHerEbljXpXySesHEeeiaEbuspVTxTkpsgNBbkUmDsXXeCDHjpLUEthNpWLcCdRtXONEgPpaiDDqGArPGhHlidFhwqaBAmWhASZgPYzbqaMqAjuJSWPfJHXGpA$" Pure.vstm	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com Pensiero.exe.com E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

5_2_00D588CD

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_0040287D AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0040287D

Source: Tt843YGUx5.exe, 00000000.00000003.1666418994.0000000003101000.00000004.00000020.00020000.00000000.sdmp, Inebriarti.exe.com, 00000005.00000000.1671409453.0000000000DB6000.00000002.00000001.01000000.00000005.sdmp, Bonta.exe.com, 00000007.00000000.1672625645.0000000000646000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Inebriarti.exe.com, Bonta.exe.com, Pensiero.exe.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D2885B cpuid

5_2_00D2885B

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_004025C8

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_00401899 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401899

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D40722 GetUserNameW,

5_2_00D40722

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com

Code function: 5_2_00D3416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

5_2_00D3416A

Source: C:\Users\user\Desktop\Tt843YGUx5.exe

Code function: 0_2_00405420 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,GetCommandLineW,lstrlenW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405420

Source: Pensiero.exe.com	Binary or memory string: WIN_81
Source: Pensiero.exe.com	Binary or memory string: WIN_XP
Source: Pensiero.exe.com	Binary or memory string: WIN_XPe
Source: Pensiero.exe.com	Binary or memory string: WIN_VISTA
Source: Pensiero.exe.com	Binary or memory string: WIN_7
Source: Pensiero.exe.com	Binary or memory string: WIN_8
Source: Bonta.exe.com, 0000000A.00000000.1674584730.0000000000646000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D7696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	5_2_00D7696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Inebriarti.exe.com	Code function: 5_2_00D76E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_00D76E32
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_0060696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	7_2_0060696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Bonta.exe.com	Code function: 7_2_00606E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	7_2_00606E32
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008B696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	11_2_008B696E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Pensiero.exe.com	Code function: 11_2_008B6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_008B6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Tt843YGUx5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Tt843YGUx5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Tt843YGUx5.exe