Windows Analysis Report
SecuriteInfo.com.Heur.7529.3828.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Heur.7529.3828.exe
Analysis ID:	1502166
MD5:	6eec575753a25441c6fade4f961195c4
SHA1:	69ba87145777b46ca4e06c5563ebe77d4394d9e7
SHA256:	85433453aa370dd4059262be9a53d8cfed907908d7728226462a5fa6a667e921
Tags:	exe
Infos:

Detection

Score:	39
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Deletes shadow drive data (may be related to ransomware)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Signatures

Uses 32bit PE files

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49715 version: TLS 1.2

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tst\sqlite_bld_dir\2\sqlite3.pdb source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFD1B4 FindFirstFileW,FindClose,	0_2_05BFD1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C12E28 FindFirstFileW,FindClose,	0_2_05C12E28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFCBE8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_05BFCBE8

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: www.privazer.com
Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: privazer.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: www.privazer.com
Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: privazer.com

Source: global traffic	DNS traffic detected: DNS query: www.privazer.com
Source: global traffic	DNS traffic detected: DNS query: privazer.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 09:27:20 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: close

Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001B8D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://privazer.com/downloadupdate.php?changelog
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://www.privazer.com
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: http://www.privazer.com/
Source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: leveldb-viewer.exe.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://privazer.com/bug-madexcept.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://privazer.com/latest_donations.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://privazer.com/latest_donations.phpmsctls_progress32
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://privazer.com/new_version_4.0.092.txt
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://privazer.com/new_version_4.0.092.txttxt7
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0B
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.privazer.com/G
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/PrivaZer.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/PrivaZer_Pro.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/changelog.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/changelog.phpopenU
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/download-pro.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.php3
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.phpS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/exit_unicode.php?country=
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/language_alert.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/language_alert.phpopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/latest_donations.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/my_latest_donation.php?email=
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/new_version_4.0.092.txt
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/order-privazer.htm
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/order-privazer.htmopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&left=
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1https://www.privazer.com/pay-EUR-GBP.phpS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenJRUN_A_CLEANUP_AT_PC_STARTUP_NOTIFY_ME
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenSVW
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenU
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/support.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/support.phpopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/support.phpopenU
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/version-difference.php
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: https://www.privazer.com0
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.00000000099AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.privazer.com:443/new_version_4.0.092.txt
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.comhttps://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/versio

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49715 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match	File source: SecuriteInfo.com.Heur.7529.3828.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.2102917811.0000000000A86000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Heur.7529.3828.exe PID: 1176, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: /K vssadmin delete shadows /for=c: /oldest /QUIET
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: H/K vssadmin delete shadows /for=c: /oldest /QUIETC:\\
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: /C vssadmin delete shadows /for=
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: /C vssadmin delete shadows /for=
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: /K vssadmin delete shadows /for=c: /oldest /QUIET
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: H/K vssadmin delete shadows /for=c: /oldest /QUIETC:\\
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: /C vssadmin delete shadows /for=
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: /C vssadmin delete shadows /for=

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA85C8	0_2_05CA85C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA84D8	0_2_05CA84D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA83B8	0_2_05CA83B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA82C8	0_2_05CA82C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA6ED8	0_2_05CA6ED8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C3080C	0_2_05C3080C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CB174C	0_2_05CB174C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA71B8	0_2_05CA71B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFB96C	0_2_05BFB96C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CB1890	0_2_05CB1890

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: String function: 05BFBD44 appears 37 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (console) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (GUI) Intel 80386, for MS Windows

PE file contains more sections than normal

Source: leveldb-viewer.exe.0.dr

Static PE information: Number of sections : 16 > 10

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameprivaZer2 vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3370847342.00000000009CD000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus39.rans.evad.winEXE@1/9@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05C1310C GetDiskFreeSpaceW,

0_2_05C1310C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05CAAE54 FindResourceW,LoadResource,SizeofResource,LockResource,

0_2_05CAAE54

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File created: C:\Users\user\Desktop\PrivaZer.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: \Sessions\1\BaseNamedObjects\mutex_PrivaZer_appli
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$498

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Heur.7529.3828.madExcept

Jump to behavior

Source: Yara match	File source: SecuriteInfo.com.Heur.7529.3828.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: 250-STARTTLS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: /Address family not supported by protocol family
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: -stop
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: websocket.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: fmifs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File written: C:\Users\user\AppData\Local\Temp\000\data.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static file information: File size 29240904 > 1048576

Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x63de00
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x152ee00

Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: More than 200 imports for kernel32.dll
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: More than 200 imports for user32.dll

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tst\sqlite_bld_dir\2\sqlite3.pdb source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr

PE file contains sections with non-standard names

Source: sqlite3.dll.0.dr	Static PE information: section name: .00cfg
Source: json.dll.0.dr	Static PE information: section name: .didata
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /4
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /14
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /29
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /41
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /55
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /67
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /80
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /91
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /102

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C54474 push 05C544CAh; ret	0_2_05C544C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CC4438 push ecx; mov dword ptr [esp], ecx	0_2_05CC443C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C0A7FC push ecx; mov dword ptr [esp], eax	0_2_05C0A7FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE7E4 push ecx; mov dword ptr [esp], edx	0_2_05BFE7E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE7CC push ecx; mov dword ptr [esp], edx	0_2_05BFE7CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE6B8 push ecx; mov dword ptr [esp], edx	0_2_05BFE6B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE692 push ecx; mov dword ptr [esp], edx	0_2_05BFE695
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE6DA push ecx; mov dword ptr [esp], edx	0_2_05BFE6DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE634 push ecx; mov dword ptr [esp], edx	0_2_05BFE635
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE64C push ecx; mov dword ptr [esp], edx	0_2_05BFE64D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE640 push ecx; mov dword ptr [esp], edx	0_2_05BFE641
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CC2160 push ecx; mov dword ptr [esp], ecx	0_2_05CC2164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C56124 push ecx; mov dword ptr [esp], ecx	0_2_05C56128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE01C push ecx; mov dword ptr [esp], edx	0_2_05BFE01D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C5C3C8 push ecx; mov dword ptr [esp], ecx	0_2_05C5C3CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C5E36C push ecx; mov dword ptr [esp], ecx	0_2_05C5E370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CBE31C push 05CBE38Eh; ret	0_2_05CBE386
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CBE2E0 push ecx; mov dword ptr [esp], edx	0_2_05CBE2E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CC4248 push ecx; mov dword ptr [esp], ecx	0_2_05CC424C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C5A214 push ecx; mov dword ptr [esp], ecx	0_2_05C5A218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C58D40 push ecx; mov dword ptr [esp], ecx	0_2_05C58D44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C1ECD8 push ecx; mov dword ptr [esp], eax	0_2_05C1ECD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C00CDA push ecx; mov dword ptr [esp], edx	0_2_05C00CDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C1ECA8 push ecx; mov dword ptr [esp], eax	0_2_05C1ECA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C0ACBC push 05C0ACF4h; ret	0_2_05C0ACEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C28E78 push ecx; mov dword ptr [esp], ecx	0_2_05C28E7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CCC9C4 push ecx; mov dword ptr [esp], edx	0_2_05CCC9C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C0A9D0 push ecx; mov dword ptr [esp], eax	0_2_05C0A9D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C62980 push ecx; mov dword ptr [esp], edx	0_2_05C62985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C009A2 push ecx; mov dword ptr [esp], ecx	0_2_05C009A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C629BC push 05C62A35h; ret	0_2_05C62A2D

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File created: C:\Users\user\AppData\Local\Temp\000\json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File created: C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File created: C:\Users\user\AppData\Local\Temp\000\sqlite3.dll	Jump to dropped file

Creates or modifies windows services

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSearch

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 475E80 value: E9 7F 7C 05 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 477C68 value: E9 0B 5E 05 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 4958A0 value: E9 67 84 03 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 4771F4 value: E9 B7 6B 05 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 411C2C value: E9 47 C6 0B 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 48C990 value: E9 37 19 04 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 4927DC value: E9 EF BF 03 00	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: C:\USERS\FLA\DESKTOP\PROCMON.EXE - RACCOURCI.LNK
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: 0C:\USERS\FLA\DESKTOP\PROCMON.EXE - RACCOURCI.LNK

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\sqlite3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

API coverage: 5.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe TID: 6820

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFD1B4 FindFirstFileW,FindClose,	0_2_05BFD1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C12E28 FindFirstFileW,FindClose,	0_2_05C12E28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFCBE8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_05BFCBE8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05BFDE88 GetSystemInfo,

0_2_05BFDE88

Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: ALLUSERSPROFILE_APPDATA\|VMware\logs\|\|.log
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFICE6=1 #Izarcllsh
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3389758705.0000000009870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4OFFICE74=0 #VMware Player0zV
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: 'LocalAppDataPath\|Temp\vmware-fla\|\|*.log
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware Player 050620fe75ee0093 05e01ecaf82f7d8e 06059df4b02360af 070b52cf73249257 0a1d19afe5a80f80
Source: PrivaZer.default.ini.0.dr	Binary or memory string: OFFICE74=0 #VMware Player
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: LocalAppDataPath\|Temp\vmware-fla\|\|*.log
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Twitter 888f2fa044591eda8Adobe Acrobat 9 Pro Extended 8a461f82e9eb41022ACDSee Photo Manager 2009 8dcca8b24a5e822e$VMware Workstation 8eafbd04ec8631ce
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3373961376.00000000021F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: WNNC_NET_VMWARE
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: ALLUSERSPROFILE_APPDATA\|VMware\logs\|\|*.log
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4OFFICE74=0 #VMware Playerr
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4OFFICE74=0 #VMware Player
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware Player
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware.Console
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMWare Player

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05CB908C IsDebuggerPresent,RaiseException,

0_2_05CB908C

Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Shell_TrayWndTrayNotifyWndU
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Shell_TrayWndU

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05BF7C38 cpuid

0_2_05BF7C38

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_05BFD2EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: EnumSystemLocalesW,	0_2_05C1A510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_05BFC78C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetLocaleInfoW,	0_2_05C1A328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetLocaleInfoW,	0_2_05C16DE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetLocaleInfoW,	0_2_05C16E30

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05C15288 GetLocalTime,

0_2_05C15288

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05BFDE9C GetVersion,

0_2_05BFDE9C

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.23.156.117	privazer.com	France		16276	OVHFR	false

Contacted Domains

Name	IP	Active
privazer.com	94.23.156.117	true
www.privazer.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://privazer.com/new_version_4.0.092.txt	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.privazer.com/new_version_4.0.092.txt	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

Uses 32bit PE files

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49715 version: TLS 1.2

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tst\sqlite_bld_dir\2\sqlite3.pdb source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFD1B4 FindFirstFileW,FindClose,	0_2_05BFD1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C12E28 FindFirstFileW,FindClose,	0_2_05C12E28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFCBE8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_05BFCBE8

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: www.privazer.com
Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: privazer.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: www.privazer.com
Source: global traffic	HTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: /User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: privazer.com

Source: global traffic	DNS traffic detected: DNS query: www.privazer.com
Source: global traffic	DNS traffic detected: DNS query: privazer.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 09:27:20 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: close

Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001B8D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://privazer.com/downloadupdate.php?changelog
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: http://www.privazer.com
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: http://www.privazer.com/
Source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: leveldb-viewer.exe.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://privazer.com/bug-madexcept.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://privazer.com/latest_donations.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://privazer.com/latest_donations.phpmsctls_progress32
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://privazer.com/new_version_4.0.092.txt
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://privazer.com/new_version_4.0.092.txttxt7
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0B
Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.privazer.com/G
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/PrivaZer.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/PrivaZer_Pro.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/changelog.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/changelog.phpopenU
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/download-pro.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.php3
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.phpS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/exit_unicode.php?country=
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/language_alert.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/language_alert.phpopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/latest_donations.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/my_latest_donation.php?email=
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/new_version_4.0.092.txt
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/order-privazer.htm
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/order-privazer.htmopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&left=
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1https://www.privazer.com/pay-EUR-GBP.phpS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenJRUN_A_CLEANUP_AT_PC_STARTUP_NOTIFY_ME
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenSVW
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenU
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/support.php
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/support.phpopen
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/support.phpopenU
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.com/version-difference.php
Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.dr	String found in binary or memory: https://www.privazer.com0
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.00000000099AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.privazer.com:443/new_version_4.0.092.txt
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: https://www.privazer.comhttps://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/versio

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49715 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match	File source: SecuriteInfo.com.Heur.7529.3828.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.2102917811.0000000000A86000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Heur.7529.3828.exe PID: 1176, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: /K vssadmin delete shadows /for=c: /oldest /QUIET
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: H/K vssadmin delete shadows /for=c: /oldest /QUIETC:\\
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: /C vssadmin delete shadows /for=
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: /C vssadmin delete shadows /for=
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: /K vssadmin delete shadows /for=c: /oldest /QUIET
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: H/K vssadmin delete shadows /for=c: /oldest /QUIETC:\\
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: /C vssadmin delete shadows /for=
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: /C vssadmin delete shadows /for=

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA85C8	0_2_05CA85C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA84D8	0_2_05CA84D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA83B8	0_2_05CA83B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA82C8	0_2_05CA82C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA6ED8	0_2_05CA6ED8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C3080C	0_2_05C3080C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CB174C	0_2_05CB174C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CA71B8	0_2_05CA71B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFB96C	0_2_05BFB96C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CB1890	0_2_05CB1890

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: String function: 05BFBD44 appears 37 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (console) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Resource name: EXEFILE type: PE32 executable (GUI) Intel 80386, for MS Windows

PE file contains more sections than normal

Source: leveldb-viewer.exe.0.dr

Static PE information: Number of sections : 16 > 10

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameprivaZer2 vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3370847342.00000000009CD000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus39.rans.evad.winEXE@1/9@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05C1310C GetDiskFreeSpaceW,

0_2_05C1310C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05CAAE54 FindResourceW,LoadResource,SizeofResource,LockResource,

0_2_05CAAE54

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File created: C:\Users\user\Desktop\PrivaZer.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: \Sessions\1\BaseNamedObjects\mutex_PrivaZer_appli
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$498

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Heur.7529.3828.madExcept

Jump to behavior

Source: Yara match	File source: SecuriteInfo.com.Heur.7529.3828.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: 250-STARTTLS
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: /Address family not supported by protocol family
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: -stop
Source: SecuriteInfo.com.Heur.7529.3828.exe	String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: websocket.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: fmifs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

File written: C:\Users\user\AppData\Local\Temp\000\data.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Automated click: Next >

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Heur.7529.3828.exe

Static file information: File size 29240904 > 1048576

Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x63de00
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x152ee00

Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: More than 200 imports for kernel32.dll
Source: SecuriteInfo.com.Heur.7529.3828.exe	Static PE information: More than 200 imports for user32.dll

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tst\sqlite_bld_dir\2\sqlite3.pdb source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr

PE file contains sections with non-standard names

Source: sqlite3.dll.0.dr	Static PE information: section name: .00cfg
Source: json.dll.0.dr	Static PE information: section name: .didata
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /4
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /14
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /29
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /41
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /55
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /67
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /80
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /91
Source: leveldb-viewer.exe.0.dr	Static PE information: section name: /102

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C54474 push 05C544CAh; ret	0_2_05C544C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CC4438 push ecx; mov dword ptr [esp], ecx	0_2_05CC443C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C0A7FC push ecx; mov dword ptr [esp], eax	0_2_05C0A7FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE7E4 push ecx; mov dword ptr [esp], edx	0_2_05BFE7E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE7CC push ecx; mov dword ptr [esp], edx	0_2_05BFE7CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE6B8 push ecx; mov dword ptr [esp], edx	0_2_05BFE6B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE692 push ecx; mov dword ptr [esp], edx	0_2_05BFE695
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE6DA push ecx; mov dword ptr [esp], edx	0_2_05BFE6DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE634 push ecx; mov dword ptr [esp], edx	0_2_05BFE635
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE64C push ecx; mov dword ptr [esp], edx	0_2_05BFE64D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE640 push ecx; mov dword ptr [esp], edx	0_2_05BFE641
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CC2160 push ecx; mov dword ptr [esp], ecx	0_2_05CC2164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C56124 push ecx; mov dword ptr [esp], ecx	0_2_05C56128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFE01C push ecx; mov dword ptr [esp], edx	0_2_05BFE01D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C5C3C8 push ecx; mov dword ptr [esp], ecx	0_2_05C5C3CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C5E36C push ecx; mov dword ptr [esp], ecx	0_2_05C5E370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CBE31C push 05CBE38Eh; ret	0_2_05CBE386
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CBE2E0 push ecx; mov dword ptr [esp], edx	0_2_05CBE2E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CC4248 push ecx; mov dword ptr [esp], ecx	0_2_05CC424C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C5A214 push ecx; mov dword ptr [esp], ecx	0_2_05C5A218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C58D40 push ecx; mov dword ptr [esp], ecx	0_2_05C58D44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C1ECD8 push ecx; mov dword ptr [esp], eax	0_2_05C1ECD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C00CDA push ecx; mov dword ptr [esp], edx	0_2_05C00CDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C1ECA8 push ecx; mov dword ptr [esp], eax	0_2_05C1ECA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C0ACBC push 05C0ACF4h; ret	0_2_05C0ACEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C28E78 push ecx; mov dword ptr [esp], ecx	0_2_05C28E7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05CCC9C4 push ecx; mov dword ptr [esp], edx	0_2_05CCC9C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C0A9D0 push ecx; mov dword ptr [esp], eax	0_2_05C0A9D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C62980 push ecx; mov dword ptr [esp], edx	0_2_05C62985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C009A2 push ecx; mov dword ptr [esp], ecx	0_2_05C009A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C629BC push 05C62A35h; ret	0_2_05C62A2D

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File created: C:\Users\user\AppData\Local\Temp\000\json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File created: C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	File created: C:\Users\user\AppData\Local\Temp\000\sqlite3.dll	Jump to dropped file

Creates or modifies windows services

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSearch

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 475E80 value: E9 7F 7C 05 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 477C68 value: E9 0B 5E 05 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 4958A0 value: E9 67 84 03 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 4771F4 value: E9 B7 6B 05 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 411C2C value: E9 47 C6 0B 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 48C990 value: E9 37 19 04 00	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Memory written: PID: 1176 base: 4927DC value: E9 EF BF 03 00	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: C:\USERS\FLA\DESKTOP\PROCMON.EXE - RACCOURCI.LNK
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: 0C:\USERS\FLA\DESKTOP\PROCMON.EXE - RACCOURCI.LNK

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\sqlite3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

API coverage: 5.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe TID: 6820

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFD1B4 FindFirstFileW,FindClose,	0_2_05BFD1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05C12E28 FindFirstFileW,FindClose,	0_2_05C12E28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: 0_2_05BFCBE8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_05BFCBE8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05BFDE88 GetSystemInfo,

0_2_05BFDE88

Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: ALLUSERSPROFILE_APPDATA\|VMware\logs\|\|.log
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFICE6=1 #Izarcllsh
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3389758705.0000000009870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4OFFICE74=0 #VMware Player0zV
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: 'LocalAppDataPath\|Temp\vmware-fla\|\|*.log
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware Player 050620fe75ee0093 05e01ecaf82f7d8e 06059df4b02360af 070b52cf73249257 0a1d19afe5a80f80
Source: PrivaZer.default.ini.0.dr	Binary or memory string: OFFICE74=0 #VMware Player
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: LocalAppDataPath\|Temp\vmware-fla\|\|*.log
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Twitter 888f2fa044591eda8Adobe Acrobat 9 Pro Extended 8a461f82e9eb41022ACDSee Photo Manager 2009 8dcca8b24a5e822e$VMware Workstation 8eafbd04ec8631ce
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3373961376.00000000021F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: WNNC_NET_VMWARE
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: ALLUSERSPROFILE_APPDATA\|VMware\logs\|\|*.log
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4OFFICE74=0 #VMware Playerr
Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4OFFICE74=0 #VMware Player
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware Player
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMware.Console
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: VMWare Player

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05CB908C IsDebuggerPresent,RaiseException,

0_2_05CB908C

Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Shell_TrayWndTrayNotifyWndU
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: SecuriteInfo.com.Heur.7529.3828.exe	Binary or memory string: Shell_TrayWndU

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05BF7C38 cpuid

0_2_05BF7C38

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_05BFD2EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: EnumSystemLocalesW,	0_2_05C1A510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_05BFC78C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetLocaleInfoW,	0_2_05C1A328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetLocaleInfoW,	0_2_05C16DE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe	Code function: GetLocaleInfoW,	0_2_05C16E30

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05C15288 GetLocalTime,

0_2_05C15288

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe

Code function: 0_2_05BFDE9C GetVersion,

0_2_05BFDE9C

AV process strings found (often used to terminate AV products)

Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: MsMpEng.exe

ID:	1502166
Product:	CloudBasic
Start time:	11:26:13
Start date:	31.08.2024
Sample:	SecuriteInfo.com.Heur.7529.3828.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6eec575753a25441c6fade4f961195c4
SHA1:	69ba87145777b46ca4e06c5563ebe77d4394d9e7
SHA256:	85433453aa370dd4059262be9a53d8cfed907908d7728226462a5fa6a667e921
Filetype:	Win32 Executable (generic) a (10002005/4) 99.53%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\000\PrivaZer.default.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	B4CD0BA1301D6D453E79F209144C77E1	8C1B5D49F314AA9CF8580ECADFEA8300087C5935	05A6507895665DDA3DD6C877C3A91C8A25BE7A39CBCC9E4421F492B569D64B90
C:\Users\user\AppData\Local\Temp\000\PrivaZer.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	671CD2F1FA35D019006FCF0865C4AADB	D85B5D3FDAFFEE2B4FD904E9DA353299AB35C1C4	F98EBA0F9E1466CC091BE1ED7C5AFCBBFF8F837DECF3F1DBB50EDD129C8E2ADC
C:\Users\user\AppData\Local\Temp\000\data.ini	Generic INItialization configuration [section_version]	45559BDE2C38B6BD413E6B82E4C07939	358EB05EC90DD1E21D52AFAF8CC0CCA37F05A1CF	8B383FBCB145BEAF30F7C0F1B71E0019B6DA9DF4F650613F08B3D7B0C7B9D0D2
C:\Users\user\AppData\Local\Temp\000\json.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	862EB74EF2D18DC4BBD27BBBF072AC27	0C8D2E9FC1569E27B99CC4AA222FBC777A75942A	BF51CDFC3080F17655056D00504D5AF2FC12441C36ADA627827CE3ECC6743517
C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe	PE32 executable (console) Intel 80386, for MS Windows	180D2372F0FB3F6431EED893417F1989	19027132A8620802DD8FB11F99B5CB5E53514F18	21097BF047F6EB5A2E2033103AA1DE7825F0087DFF2C0CD254D689213187140E
C:\Users\user\AppData\Local\Temp\000\new_version_4.0.092.txt	HTML document, ASCII text	62962DAA1B19BBCC2DB10B7BFD531EA6	D64BAE91091EDA6A7532EBEC06AA70893B79E1F8	80C3FE2AE1062ABF56456F52518BD670F9EC3917B7F85E152B347AC6B6FAF880
C:\Users\user\AppData\Local\Temp\000\song.mp3	Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 256 kbps, 48 kHz, Stereo	40EB8445F9440962DA3F64CBA064EDF9	D76FB27CAB135CBBC998404F8FC3FC18EE88EB6F	8DEFBFFA55515DC2D2451177944C28724D7D7F63FECAF09709EEEBB2239AC041
C:\Users\user\AppData\Local\Temp\000\sqlite3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EA1FEF49618036CF262389F8B163737C	AD14B8B3891043BA313934D4C96A67C4F726A0D6	E44D60ACDBB9DAEC105432407F6B0EC6C19B9AD60456256788AC5A53DDF0CB70
C:\Users\user\Desktop\PrivaZer.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9272B8BDA67F013EBECF218C77AD1D5B	50EBF568B2E6C7205EC8F6D6023829AF6D8EABD9	C19D282CBF82AE2E16D1CB014DBED76D11B29EDA4D1357CE13699620F2CC4ED4

Windows Analysis Report
SecuriteInfo.com.Heur.7529.3828.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Heur.7529.3828.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Heur.7529.3828.exe