Windows Analysis Report
Gelato Italiano_74695.exe.exe

Overview

General Information

Sample name:	Gelato Italiano_74695.exe.exe (renamed file extension from bin to exe)
Original sample name:	Gelato Italiano_74695.exe.bin
Analysis ID:	1522521
MD5:	bf063c97747fc43dbd0b74cc540913de
SHA1:	79d9b261a7074442ce2c9f31e6ca6b0a8001062f
SHA256:	aa49d7526627c77bb9c987717c9e84e41a40d1d9df73459daa9d9cf64c538534
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Installs new ROOT certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a window with clipboard capturing capabilities

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Uses 32bit PE files

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Gelato Italiano_74695.exe.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: Gelato Italiano_74695.exe.exe	ReversingLabs: Detection: 62%
Source: Gelato Italiano_74695.exe.exe	Virustotal: Detection: 64%			Perma Link

Uses 32bit PE files

Source: Gelato Italiano_74695.exe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Gelato Italiano_74695.exe.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 35.190.60.70:443 -> 192.168.2.22:49168 version: TLS 1.2

Source: Gelato Italiano_74695.exe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: dlsft.com

Source: unknown

HTTP traffic detected: POST /service.php?id=74695 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----------h-smile-2XS1R0L49PKGXJTY8V1ULGP1OContent-Length: 346User-Agent: sciter 4.3.0.0; Windows-7.1; www.sciter.com)Host: dlsft.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:02:31 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1Via: 1.1 googleData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.00000000057D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.00000000039F3000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A67000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/5
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/e
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/y
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=00
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=1
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=10
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=170
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=2
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=20
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=3
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=30
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=4
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=40
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=8
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=80
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=9
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=90
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620738626.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/packages/PI1032/ContentI3.exe
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620738626.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/packages/PI1032/ContentI3.exer
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.premieropinion.com/privacy.aspx#pp
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.premieropinion.com/privacy.aspx#tos
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=started
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=started----
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=started0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=startedP
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=startedr
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=74695
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=746950
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=746952
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=74695P
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=74695V
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dpd.securestudies.com/dpdv2.aspx?campaignid=1538&co=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dpd.securestudies.com/dpdv2.aspx?campaignid=1538&co=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedm.com/privacy.php
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: https://www.certum.pl/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: unknown

HTTPS traffic detected: 35.190.60.70:443 -> 192.168.2.22:49168 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Uses 32bit PE files

Source: Gelato Italiano_74695.exe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.winEXE@1/0@1/1

Source: Gelato Italiano_74695.exe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Gelato Italiano_74695.exe.exe	ReversingLabs: Detection: 62%
Source: Gelato Italiano_74695.exe.exe	Virustotal: Detection: 64%

Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: marker-start
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: animation-start!
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: <!--StartFragment-->
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: Hstyle{css_property_animator}texti{text}{node}_UNKNOWNTTSTRIKESBUINSBIGQDELSUPEMSMALLSUBCODESAMPSTRONGDFNCITEBRKBDVARBUTTONSELECTINPUTOUTPUTRICHTEXTPLAINTEXTTEXTAREAHTMLAREA_BEFORE_AFTERPTEXTULOL_MARKER_SHADEMENUPREDLDIRBLOCKQUOTEDDDIVCENTERFORMHRDTLIH2H3SPLITTERH1H6ADDRESSH4H5BASEFONTMAPIMGFONTBODYHEADAREAHTMLTHTBODYTABLETDCAPTIONCOLTHEADTFOOTTITLEISINDEXCOLGROUPTRMETALINKBASESTYLEOPTGROUPOPTIONSSCRIPTOPTIONOBJECTFIELDSETWIDGETPARAMLABELNOBRLEGENDSPANFRAMESETPOPUPIFRAMEFRAMESECTIONARTICLEINCLUDEPICTUREHEADERFOOTERASIDEHGROUPPAGEBOXNAVMAINPAGEFRAMEPROGRESSMETERTOOLBARMARKFIGCAPTIONDETAILSTIMEFIGUREPATHRECTSVGGLINEPOLYLINECIRCLEELLIPSEUSEDEFSPOLYGONSWITCHLINEARGRADIENTSTOPMASKRADIALGRADIENT_SERVICE_TOTALVIDEOSOURCEnameidUNKNOWNclasstargetlanghrefsrcbgcolorvspaceforlangbackgroundbordercolorcellpaddinghspaceborderfixedcolsfixedlayoutcellspacingfixedrowsaltsizealignvalignnowraprowspanvaluenovalueminwidthminheightcolspanflowfacetabindexmaxwidthmaxheightdisabledreadonlycheckedselectedmultiplelabelcurrentanchorrowstitlepopupcolsmaxvalueminvaluetitleidprototypedircommandstepmaxlengthexpandedcollapsedstarttooltipforatvisiblehiddenaria-labelaria-labelledbycontenteditablerelmediarxaria-describedbyaria-descriptionviewboxx1ryry2cxy1x2fill-opacityfill-rulecyfillstroke-linecapstroke-linejoinstrokestroke-widthstroke-dashoffsetstroke-opacitystroke-miterlimitstroke-dasharraymarker-midmarker-endmarkermarker-startopacitygradientunitsstop-colorstop-opacitytransformpointsoffsetgradienttransformthemewindow-statespellcheckasvisibilitycleardirectiondisplayfont-familyfont-sizefloatfontfont-weightfont-rendering-modefont-stylefont-varianttext-aligntext-decorationletter-spacingline-heighttext-decoration-colortext-indenttext-decoration-styletext-decoration-linetext-transformwhite-spacetext-overflowtext-shadowword-breaktab-sizetext-wrapword-wraptext-selection-caret-colortext-selectiontext-selection-colortext-selection-background-colorhorizontal-alignbackground-attachmentbox-sizingvertical-alignbackground-positionbackground-position-topbackground-colorbackground-imagebackground-position-bottombackground-repeatbackground-position-leftbackground-position-rightbackground-offset-leftbackground-offset-rightbackground-offsetbackground-offset-topbackground-widthbackground-heightbackground-offset-bottombackground-sizeborder-bottomborder-bottom-colorbackground-clipbackground-image-frameborder-collapseborder-colorborder-bottom-styleborder-bottom-widthborder-left-styleborder-left-widthborder-leftborder-left-colorborder-right-styleborder-right-widthborder-rightborder-right-colorborder-top-colorborder-top-styleborder-styleborder-topmarginmargin-bottomborder-top-widthborder-widthmargin-toppaddingmargin-leftmargin-rightpadding-rightpadding-toppadding-bottompadding-leftlist-style-positionlist-style-typelist-stylelist-style-imagelist-marker-styleoverflowlist-marker-colorlist-marker-sizecursoroutline-coloroverflow-xoverflow-youtline-offsetoutlineoutline-widthoutline-stylepositionleftimage-render
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: ><"&evenoddbuttinheritnonzeromiterbevelroundsquaredashedgroovedoubledottedoutsetglowridgeinsetsoliddoublenwse-hatchnesw-hatchgrooveridgedotteddashedglownwse-hatchinsetoutsetscroll-mannerautonesw-hatch/visiblehidden-scrollhidden-scrollscroll-indicatorseparateseparatescroll-indicatorcollapseonly-movemove-copycopy-moveonly-copyinsertrecycleonly-moveonly-copyreplaceinsertappendprependprependreplacerecycleappendmovewaitpointercrosshairne-resizenw-resizehelpe-resizesw-resizes-resizen-resizese-resizeno-dropdrag-copyw-resizenourl()expandcopydrag-movestretch-leftstretch-rightstretch-topstretch-bottomkeep-rationo-repeatstretch-middlestretchrepeat-ykeep-ratiorepeatrepeat-xstretch-leftstretch-rightstretch-topstretch-bottomno-repeat keep-rationo-repeatstretch-middlerepeatstretch keep-ratiostretchrepeat-xrepeat-ytext-onlyinline-insideblock-insidecentertablecircledecimalcenterdisclower-alphaupper-alphalower-romanupper-romanitalicobliquetree-linenormalenhancedscaleableitalicnormalsnap-pixelsnap-pixelsub-pixelclassicltrborder-boxsub-pixelrtlcontent-boxhit-margin-boxpadding-boxmargin-boxcurrentanimatefirstlastoptimize-speedpixelateddefaultcrisp-edgescontrastgrayscaleoptimize-qualitybrightnessopacitysaturatehue-rotateinvertcovercontainsepiadrop-shadowgridverticalrowcolumnshorizontal-flowhorizontal-wraphorizontalh-flowvertical-wrapvertical-listv-flowvertical-flowstacktexttable-fixedtable-rowhidden-when-partialimagehidden-when-partialinline-blocklist-itemblockinlinetable-celltable-bodycontentsinline-tablelocallocalbothfixedinsideinsidefixedoutsideoverlineline-throughoutsideunderlinepreprewrapwavycurrentcolorprepre-wrappre-wrapnowrapunrestrictedsuppressunrestrictedsuppressbreak-allkeep-allbreak-wordbreak-wordcapitalizeuppercasebreak-allkeep-alluppercaselowercaselowercasecapitalizemiddlebaselinejustifyendtext-toptext-bottomsubsuperlighter%dboldbolderbackgroundbackground-imageleft-to-righttop-to-rightforeground-imageforeground-positionbackground-positionforegroundalignment(list-style-imagelayouttop-centertop-right) top-leftmiddle-rightbottom-leftmiddle-leftmiddle-centerat-startat-endbottom-centerbottom-right%s %stoat-headat-tailclosest-cornerfarthest-sideellipseclosest-sidelinear-gradientradial-gradientfarthest-corneratimage-transformation, color-schema() function: bad color value
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: \|navigate:line-endnavigate:endnavigate:line-startnavigate:startnavigate:downnavigate:upnavigate:forwardnavigate:word-endnavigate:backwardnavigate:word-start-max-minnumber-step-valueminusplusdecimalinteger
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: <![CDATA[charset=content-typehttp-equiv![CDATA[!--]]><!ENTITY !ENTITY!DOCTYPE<p style='color:red'>ERROR: cyclic INCLUDE of url %s</p>xmaxxminslicepreserveaspectratioMmLlHhVvCcSsQqTtAaZzuserspaceonuseymaxymin{block_svg_element}{block_svg}{null_layout}quad-in-outquad-inlinearquart-incubic-in-outcubic-outcubic-inquint-outquint-inquart-in-outquart-outsine-in-outsine-outsine-inquint-in-outcirc-inexpo-in-outexpo-outexpo-inelastic-outelastic-incirc-in-outcirc-outback-in-outback-outback-inelastic-in-outxx-back-inx-back-in-outx-back-outx-back-inbounce-outbounce-inxx-back-in-outxx-back-outbounce-in-outforeground-image-heightforeground-image-widthintrinsic-heightbackground-image-heightbackground-image-width$1c$cactive-onhover-offhover-ondouble-clickfocus-offfocus-onactive-offkey-onattachedsize-changedvalue-changedanimation-startanimation-endvalidatekey-offstart-animationanimation-stepcss-script{csss_animator}previousnextchildstop-animation$1$childrenprev$pvaluesortscroll-to-viewstop-timerstart-timer$1pmax-intrinsic-heightmin-intrinsic-heightmax-intrinsic-widthmin-intrinsic-widthcontentclientbox-text-widthparent-y-x-*updateshow-popupviewrootkey-codemouse-ymouse-xis-on-iconnesw-hatch.pngnwse-hatch.pngnwse-hatch.pngwave.pngred-wave.png%d.nesw-hatch.pngred-wave-2x.png{back_image_animator}{fore_image_animator}{text_block}next-pageprev-pagebasecorner{block_horizontal}{morphing_image}monospacemsscalcurlimportantdpiselectorprhttpsdeflateContent-EncodingHTTP/1.0http=http://%s:%d;https=https://%s:%dgzip: Content-Typegzip, deflateAccept-EncodingContent-Lengthapplication/x-www-form-urlencoded;charset=utf-8
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: <html><body><!--StartFragment--><img src='
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: delete rangebase->belongs_to(root_s, true)(root_s == root_e) && root_einsert plaintextdelete characterelpull <%S> elementremove <%S> spansapply <%S> spannew_listinsert rowbm.node->is_text()bm.node->is_element()split paragraphinsert elementnew_list_itemwrap blockmorph blockremove listapply listindentunindentreset blockapply blockpa->belongs_to(pre_root,true)patexts[n]->parentapply pre<html><body><!--StartFragment--><img src='cid:first && lastremove preEndFragmentStartFragmentpel->parent && pel->parent != until' /><!--EndFragment--></body></html>bm.valid() && bm.node->is_element()pbcgeneratorinsert htmlmerge htmlstyle,link,meta,title,baseheadpn && pn->is_element()nn && parentnn && nn->parentpn && pn->parentbm.valid()pos.node->is_text()pos.valid()ppelpt->is_text()ptn->parentat.node->is_element()!nbsp_injectionpn->parentprogress-bar{block_table_body}{block_horizontal_wrap}{block_vertical_wrap}{block_grid}<%s> element is not expected in <table>

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: icm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32

Jump to behavior

Source: Gelato Italiano_74695.exe.exe

Static PE information: certificate valid

Source: Gelato Italiano_74695.exe.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Gelato Italiano_74695.exe.exe

Static file information: File size 5694296 > 1048576

Source: Gelato Italiano_74695.exe.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3d9400
Source: Gelato Italiano_74695.exe.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x112000

Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Gelato Italiano_74695.exe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Gelato Italiano_74695.exe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe TID: 3432

Thread sleep time: -120000s >= -30000s

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.190.60.70	dlsft.com	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
dlsft.com	35.190.60.70	true

Contacted URLs

Name	Malicious	Reputation
https://dlsft.com/callback.php?channel=&id=74695&action=started	false	unknown
http://dlsft.com/callback/geo/	false	unknown
https://dlsft.com/service.php?id=74695	false	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Gelato Italiano_74695.exe.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: Gelato Italiano_74695.exe.exe	ReversingLabs: Detection: 62%
Source: Gelato Italiano_74695.exe.exe	Virustotal: Detection: 64%			Perma Link

Uses 32bit PE files

Source: Gelato Italiano_74695.exe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Gelato Italiano_74695.exe.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 35.190.60.70:443 -> 192.168.2.22:49168 version: TLS 1.2

Source: Gelato Italiano_74695.exe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: dlsft.com

Source: unknown

Source: global traffic

Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.00000000057D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.00000000039F3000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A67000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/5
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/e
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dlsft.com/callback/geo/y
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=00
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=1
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=10
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=170
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=2
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=20
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=3
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=30
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=4
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=40
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=8
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=80
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=9
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=90
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620738626.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/packages/PI1032/ContentI3.exe
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620738626.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://post.securestudies.com/packages/PI1032/ContentI3.exer
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.premieropinion.com/privacy.aspx#pp
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.premieropinion.com/privacy.aspx#tos
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=started
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=started----
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=started0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=startedP
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=&id=74695&action=startedr
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/callback.php?channel=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=74695
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=746950
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=746952
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=74695P
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dlsft.com/service.php?id=74695V
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A7C000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621103293.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dpd.securestudies.com/dpdv2.aspx?campaignid=1538&co=
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.620995051.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dpd.securestudies.com/dpdv2.aspx?campaignid=1538&co=0
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621013239.00000000033E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedm.com/privacy.php
Source: Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005854000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.0000000005825000.00000004.00000020.00020000.00000000.sdmp, Gelato Italiano_74695.exe.exe, 00000000.00000002.621242689.000000000585F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: https://www.certum.pl/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: unknown

HTTPS traffic detected: 35.190.60.70:443 -> 192.168.2.22:49168 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Uses 32bit PE files

Source: Gelato Italiano_74695.exe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.winEXE@1/0@1/1

Source: Gelato Italiano_74695.exe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Gelato Italiano_74695.exe.exe	ReversingLabs: Detection: 62%
Source: Gelato Italiano_74695.exe.exe	Virustotal: Detection: 64%

Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: marker-start
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: animation-start!
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: <!--StartFragment-->
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: Hstyle{css_property_animator}texti{text}{node}_UNKNOWNTTSTRIKESBUINSBIGQDELSUPEMSMALLSUBCODESAMPSTRONGDFNCITEBRKBDVARBUTTONSELECTINPUTOUTPUTRICHTEXTPLAINTEXTTEXTAREAHTMLAREA_BEFORE_AFTERPTEXTULOL_MARKER_SHADEMENUPREDLDIRBLOCKQUOTEDDDIVCENTERFORMHRDTLIH2H3SPLITTERH1H6ADDRESSH4H5BASEFONTMAPIMGFONTBODYHEADAREAHTMLTHTBODYTABLETDCAPTIONCOLTHEADTFOOTTITLEISINDEXCOLGROUPTRMETALINKBASESTYLEOPTGROUPOPTIONSSCRIPTOPTIONOBJECTFIELDSETWIDGETPARAMLABELNOBRLEGENDSPANFRAMESETPOPUPIFRAMEFRAMESECTIONARTICLEINCLUDEPICTUREHEADERFOOTERASIDEHGROUPPAGEBOXNAVMAINPAGEFRAMEPROGRESSMETERTOOLBARMARKFIGCAPTIONDETAILSTIMEFIGUREPATHRECTSVGGLINEPOLYLINECIRCLEELLIPSEUSEDEFSPOLYGONSWITCHLINEARGRADIENTSTOPMASKRADIALGRADIENT_SERVICE_TOTALVIDEOSOURCEnameidUNKNOWNclasstargetlanghrefsrcbgcolorvspaceforlangbackgroundbordercolorcellpaddinghspaceborderfixedcolsfixedlayoutcellspacingfixedrowsaltsizealignvalignnowraprowspanvaluenovalueminwidthminheightcolspanflowfacetabindexmaxwidthmaxheightdisabledreadonlycheckedselectedmultiplelabelcurrentanchorrowstitlepopupcolsmaxvalueminvaluetitleidprototypedircommandstepmaxlengthexpandedcollapsedstarttooltipforatvisiblehiddenaria-labelaria-labelledbycontenteditablerelmediarxaria-describedbyaria-descriptionviewboxx1ryry2cxy1x2fill-opacityfill-rulecyfillstroke-linecapstroke-linejoinstrokestroke-widthstroke-dashoffsetstroke-opacitystroke-miterlimitstroke-dasharraymarker-midmarker-endmarkermarker-startopacitygradientunitsstop-colorstop-opacitytransformpointsoffsetgradienttransformthemewindow-statespellcheckasvisibilitycleardirectiondisplayfont-familyfont-sizefloatfontfont-weightfont-rendering-modefont-stylefont-varianttext-aligntext-decorationletter-spacingline-heighttext-decoration-colortext-indenttext-decoration-styletext-decoration-linetext-transformwhite-spacetext-overflowtext-shadowword-breaktab-sizetext-wrapword-wraptext-selection-caret-colortext-selectiontext-selection-colortext-selection-background-colorhorizontal-alignbackground-attachmentbox-sizingvertical-alignbackground-positionbackground-position-topbackground-colorbackground-imagebackground-position-bottombackground-repeatbackground-position-leftbackground-position-rightbackground-offset-leftbackground-offset-rightbackground-offsetbackground-offset-topbackground-widthbackground-heightbackground-offset-bottombackground-sizeborder-bottomborder-bottom-colorbackground-clipbackground-image-frameborder-collapseborder-colorborder-bottom-styleborder-bottom-widthborder-left-styleborder-left-widthborder-leftborder-left-colorborder-right-styleborder-right-widthborder-rightborder-right-colorborder-top-colorborder-top-styleborder-styleborder-topmarginmargin-bottomborder-top-widthborder-widthmargin-toppaddingmargin-leftmargin-rightpadding-rightpadding-toppadding-bottompadding-leftlist-style-positionlist-style-typelist-stylelist-style-imagelist-marker-styleoverflowlist-marker-colorlist-marker-sizecursoroutline-coloroverflow-xoverflow-youtline-offsetoutlineoutline-widthoutline-stylepositionleftimage-render
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: ><"&evenoddbuttinheritnonzeromiterbevelroundsquaredashedgroovedoubledottedoutsetglowridgeinsetsoliddoublenwse-hatchnesw-hatchgrooveridgedotteddashedglownwse-hatchinsetoutsetscroll-mannerautonesw-hatch/visiblehidden-scrollhidden-scrollscroll-indicatorseparateseparatescroll-indicatorcollapseonly-movemove-copycopy-moveonly-copyinsertrecycleonly-moveonly-copyreplaceinsertappendprependprependreplacerecycleappendmovewaitpointercrosshairne-resizenw-resizehelpe-resizesw-resizes-resizen-resizese-resizeno-dropdrag-copyw-resizenourl()expandcopydrag-movestretch-leftstretch-rightstretch-topstretch-bottomkeep-rationo-repeatstretch-middlestretchrepeat-ykeep-ratiorepeatrepeat-xstretch-leftstretch-rightstretch-topstretch-bottomno-repeat keep-rationo-repeatstretch-middlerepeatstretch keep-ratiostretchrepeat-xrepeat-ytext-onlyinline-insideblock-insidecentertablecircledecimalcenterdisclower-alphaupper-alphalower-romanupper-romanitalicobliquetree-linenormalenhancedscaleableitalicnormalsnap-pixelsnap-pixelsub-pixelclassicltrborder-boxsub-pixelrtlcontent-boxhit-margin-boxpadding-boxmargin-boxcurrentanimatefirstlastoptimize-speedpixelateddefaultcrisp-edgescontrastgrayscaleoptimize-qualitybrightnessopacitysaturatehue-rotateinvertcovercontainsepiadrop-shadowgridverticalrowcolumnshorizontal-flowhorizontal-wraphorizontalh-flowvertical-wrapvertical-listv-flowvertical-flowstacktexttable-fixedtable-rowhidden-when-partialimagehidden-when-partialinline-blocklist-itemblockinlinetable-celltable-bodycontentsinline-tablelocallocalbothfixedinsideinsidefixedoutsideoverlineline-throughoutsideunderlinepreprewrapwavycurrentcolorprepre-wrappre-wrapnowrapunrestrictedsuppressunrestrictedsuppressbreak-allkeep-allbreak-wordbreak-wordcapitalizeuppercasebreak-allkeep-alluppercaselowercaselowercasecapitalizemiddlebaselinejustifyendtext-toptext-bottomsubsuperlighter%dboldbolderbackgroundbackground-imageleft-to-righttop-to-rightforeground-imageforeground-positionbackground-positionforegroundalignment(list-style-imagelayouttop-centertop-right) top-leftmiddle-rightbottom-leftmiddle-leftmiddle-centerat-startat-endbottom-centerbottom-right%s %stoat-headat-tailclosest-cornerfarthest-sideellipseclosest-sidelinear-gradientradial-gradientfarthest-corneratimage-transformation, color-schema() function: bad color value
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: \|navigate:line-endnavigate:endnavigate:line-startnavigate:startnavigate:downnavigate:upnavigate:forwardnavigate:word-endnavigate:backwardnavigate:word-start-max-minnumber-step-valueminusplusdecimalinteger
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: <![CDATA[charset=content-typehttp-equiv![CDATA[!--]]><!ENTITY !ENTITY!DOCTYPE<p style='color:red'>ERROR: cyclic INCLUDE of url %s</p>xmaxxminslicepreserveaspectratioMmLlHhVvCcSsQqTtAaZzuserspaceonuseymaxymin{block_svg_element}{block_svg}{null_layout}quad-in-outquad-inlinearquart-incubic-in-outcubic-outcubic-inquint-outquint-inquart-in-outquart-outsine-in-outsine-outsine-inquint-in-outcirc-inexpo-in-outexpo-outexpo-inelastic-outelastic-incirc-in-outcirc-outback-in-outback-outback-inelastic-in-outxx-back-inx-back-in-outx-back-outx-back-inbounce-outbounce-inxx-back-in-outxx-back-outbounce-in-outforeground-image-heightforeground-image-widthintrinsic-heightbackground-image-heightbackground-image-width$1c$cactive-onhover-offhover-ondouble-clickfocus-offfocus-onactive-offkey-onattachedsize-changedvalue-changedanimation-startanimation-endvalidatekey-offstart-animationanimation-stepcss-script{csss_animator}previousnextchildstop-animation$1$childrenprev$pvaluesortscroll-to-viewstop-timerstart-timer$1pmax-intrinsic-heightmin-intrinsic-heightmax-intrinsic-widthmin-intrinsic-widthcontentclientbox-text-widthparent-y-x-*updateshow-popupviewrootkey-codemouse-ymouse-xis-on-iconnesw-hatch.pngnwse-hatch.pngnwse-hatch.pngwave.pngred-wave.png%d.nesw-hatch.pngred-wave-2x.png{back_image_animator}{fore_image_animator}{text_block}next-pageprev-pagebasecorner{block_horizontal}{morphing_image}monospacemsscalcurlimportantdpiselectorprhttpsdeflateContent-EncodingHTTP/1.0http=http://%s:%d;https=https://%s:%dgzip: Content-Typegzip, deflateAccept-EncodingContent-Lengthapplication/x-www-form-urlencoded;charset=utf-8
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: <html><body><!--StartFragment--><img src='
Source: Gelato Italiano_74695.exe.exe	String found in binary or memory: delete rangebase->belongs_to(root_s, true)(root_s == root_e) && root_einsert plaintextdelete characterelpull <%S> elementremove <%S> spansapply <%S> spannew_listinsert rowbm.node->is_text()bm.node->is_element()split paragraphinsert elementnew_list_itemwrap blockmorph blockremove listapply listindentunindentreset blockapply blockpa->belongs_to(pre_root,true)patexts[n]->parentapply pre<html><body><!--StartFragment--><img src='cid:first && lastremove preEndFragmentStartFragmentpel->parent && pel->parent != until' /><!--EndFragment--></body></html>bm.valid() && bm.node->is_element()pbcgeneratorinsert htmlmerge htmlstyle,link,meta,title,baseheadpn && pn->is_element()nn && parentnn && nn->parentpn && pn->parentbm.valid()pos.node->is_text()pos.valid()ppelpt->is_text()ptn->parentat.node->is_element()!nbsp_injectionpn->parentprogress-bar{block_table_body}{block_horizontal_wrap}{block_vertical_wrap}{block_grid}<%s> element is not expected in <table>

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: icm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32

Jump to behavior

Source: Gelato Italiano_74695.exe.exe

Static PE information: certificate valid

Source: Gelato Italiano_74695.exe.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Gelato Italiano_74695.exe.exe

Static file information: File size 5694296 > 1048576

Source: Gelato Italiano_74695.exe.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3d9400
Source: Gelato Italiano_74695.exe.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x112000

Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Gelato Italiano_74695.exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Gelato Italiano_74695.exe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Gelato Italiano_74695.exe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Gelato Italiano_74695.exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe TID: 3432

Thread sleep time: -120000s >= -30000s

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Gelato Italiano_74695.exe.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

ID:	1522521
Product:	CloudBasic
Start time:	10:01:36
Start date:	30.09.2024
Sample:	Gelato Italiano_74695.exe.bin
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	bf063c97747fc43dbd0b74cc540913de
SHA1:	79d9b261a7074442ce2c9f31e6ca6b0a8001062f
SHA256:	aa49d7526627c77bb9c987717c9e84e41a40d1d9df73459daa9d9cf64c538534
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Gelato Italiano_74695.exe.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Gelato Italiano_74695.exe.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Gelato Italiano_74695.exe.exe