privacy-eraser-setup.exe
This report is generated from a file or URL submitted to this webservice on October 11th 2019 12:16:00 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Accesses potentially sensitive information from local browsers
Found a string that may be used as part of an injection method - Persistence
-
Interacts with the primary disk partition (DR0)
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly checks for the presence of an Antivirus engine
Possibly tries to evade analysis by sleeping many times
Reads Antivirus engine related registry keys - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 6 domains and 3 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 14
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
-
"PrivacyEraser64.exe" created file "Z:"
"PrivacyEraser64.exe" created file "C:" - source
- API Call
- relevance
- 8/10
-
Reads Antivirus engine related registry keys
- details
-
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\AVIRA\ANTIVIR DESKTOP")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\AVIRA\ANTIVIRUS")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\ASHAMPOO")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\AVG")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\COMPUTERASSOCIATES\ANTI-VIRUS")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\CLAMWIN")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\MALWAREBYTES' ANTI-MALWARE")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\SYMANTEC\NORTON ANTIVIRUS NT")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\SYMANTEC\SYMANTEC ANTIVIRUS")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\SUPERANTISPYWARE.COM\SUPERANTISPYWARE") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a resource fork (ADS) file (often used to hide data)
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/20 Antivirus vendors marked sample as malicious (10% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 1/71 Antivirus vendors marked spawned process "privacy-eraser-setup.tmp" (PID: 3672) as malicious (classified as "Banbra" with 1% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"privacy-eraser-setup.tmp" allocated memory in "%WINDIR%\SysWOW64\en-US\shell32.dll.mui"
"privacy-eraser-setup.tmp" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer"
"privacy-eraser-setup.tmp" allocated memory in "%PROGRAMFILES%\Internet Explorer\iexplore.exe"
"privacy-eraser-setup.tmp" allocated memory in "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Privacy Eraser\Uninstall Privacy Eraser.lnk"
"privacy-eraser-setup.tmp" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"privacy-eraser-setup.exe" wrote 1500 bytes to a remote process "%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp" (Handle: 252)
"privacy-eraser-setup.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-QPB7D.tmp\privacy-eraser-setup.tmp" (Handle: 252)
"privacy-eraser-setup.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-QPB7D.tmp\privacy-eraser-setup.tmp" (Handle: 252)
"privacy-eraser-setup.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-QPB7D.tmp\privacy-eraser-setup.tmp" (Handle: 252)
"privacy-eraser-setup.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-QPB7D.tmp\privacy-eraser-setup.tmp" (Handle: 252)
"privacy-eraser-setup.tmp" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-91OTV.tmp\PrivacyEraser64.exe" (Handle: 496)
"privacy-eraser-setup.tmp" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-91OTV.tmp\PrivacyEraser64.exe" (Handle: 496)
"privacy-eraser-setup.tmp" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-91OTV.tmp\PrivacyEraser64.exe" (Handle: 496)
"privacy-eraser-setup.tmp" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-91OTV.tmp\PrivacyEraser64.exe" (Handle: 496)
"privacy-eraser-setup.tmp" wrote 32 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 712)
"privacy-eraser-setup.tmp" wrote 52 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 712)
"privacy-eraser-setup.tmp" wrote 4 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 712)
"privacy-eraser-setup.tmp" wrote 8 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 712)
"privacy-eraser-setup.tmp" wrote 32 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 976)
"privacy-eraser-setup.tmp" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 976)
"privacy-eraser-setup.tmp" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 976)
"privacy-eraser-setup.tmp" wrote 8 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 976)
"privacy-eraser-setup.tmp" wrote 32 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 984)
"privacy-eraser-setup.tmp" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 984)
"privacy-eraser-setup.tmp" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 984)
"privacy-eraser-setup.tmp" wrote 8 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 984)
"privacy-eraser-setup.tmp" wrote 32 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 776)
"privacy-eraser-setup.tmp" wrote 52 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 776)
"privacy-eraser-setup.tmp" wrote 4 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 776)
"privacy-eraser-setup.tmp" wrote 8 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 776)
"privacy-eraser-setup.tmp" wrote 32 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 772)
"privacy-eraser-setup.tmp" wrote 52 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 772)
"privacy-eraser-setup.tmp" wrote 4 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 772)
"privacy-eraser-setup.tmp" wrote 8 bytes to a remote process "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" (Handle: 772)
"iexplore.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 888)
"iexplore.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 888)
"iexplore.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 888)
"iexplore.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Handle: 888) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "162.241.252.131": ...
URL: http://shop2day.in/ (AV positives: 6/71 scanned on 10/11/2019 09:45:21)
URL: http://gallerybombay.com/painting/oriental (AV positives: 4/71 scanned on 10/06/2019 07:55:56)
URL: http://shop2day.in/lu/0c4c5c77dc231dfff8b8a4705e17d7ec/capitalone-secure-account-update.php?&cmd=https:/www.capitalone.com/secure/profile/update/submit&id& (AV positives: 9/71 scanned on 10/05/2019 10:48:18)
URL: http://gallerybombay.com/rll (AV positives: 3/71 scanned on 10/05/2019 03:11:40)
URL: http://shop2day.in/lu/1d7a378a195e257edd3f04bbe53d62a3/capitalone-secure-account-update.php?&cmd=https:/www.capitalone.com/secure/profile/update/submit&id& (AV positives: 8/71 scanned on 10/05/2019 02:03:13)
File SHA256: 50a1c87206657dc5d98e7165d925e91e0df2a07d9b1372acdd33b5837f6d6a02 (AV positives: 1/71 scanned on 10/06/2019 15:19:01)
File SHA256: 78bdba959f5e120efca3ee7434c638377d52e96caa9f37ec2d33cc999a506ba6 (AV positives: 1/71 scanned on 10/04/2019 22:11:54)
File SHA256: 6a5010eb2537ffb0e240bb7a695da8ab754e77fd1f73c17c0ce273fd8a2b9a90 (Date: 10/01/2019 12:36:15)
File SHA256: 15e7042340a445ef257b135be03b1c71b53164b7770afd1c6492a8303bce1822 (AV positives: 1/71 scanned on 09/26/2019 07:40:08)
File SHA256: 972b83d4db5e2cbc2c380d4a82c579fc12cf2f4729f8b0b14355cb2f490914d3 (Date: 09/26/2019 14:25:30)
File SHA256: 88457fa7044313dad87c63f65aeb2965cdc3a0b834b83cd0c8a5b02221c195c0 (AV positives: 1/71 scanned on 09/23/2019 03:33:11)
File SHA256: 18ae0602d1c622df8b65f0666534714e21e7f59f06ccde9c67558579b930fb33 (Date: 09/18/2019 15:42:49)
File SHA256: bc05525713472adf835be07ca5f88b658df60d6f845c0078d1fc1b0ff19d7e97 (AV positives: 1/70 scanned on 09/08/2019 09:01:15)
File SHA256: 547b1bf3ee53b33ab3856226a848e8af45ff8f08c5135ef7e60cb12f870e0af1 (Date: 08/31/2019 20:33:22)
File SHA256: 86e613c193c8b52ca37568c500299b49c603bd06281e4947e3be58f8c750a2c4 (Date: 08/28/2019 00:51:19) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "162.241.252.131": ...
URL: http://shop2day.in/ (AV positives: 6/71 scanned on 10/11/2019 09:45:21)
URL: http://gallerybombay.com/painting/oriental (AV positives: 4/71 scanned on 10/06/2019 07:55:56)
URL: http://shop2day.in/lu/0c4c5c77dc231dfff8b8a4705e17d7ec/capitalone-secure-account-update.php?&cmd=https:/www.capitalone.com/secure/profile/update/submit&id& (AV positives: 9/71 scanned on 10/05/2019 10:48:18)
URL: http://gallerybombay.com/rll (AV positives: 3/71 scanned on 10/05/2019 03:11:40)
URL: http://shop2day.in/lu/1d7a378a195e257edd3f04bbe53d62a3/capitalone-secure-account-update.php?&cmd=https:/www.capitalone.com/secure/profile/update/submit&id& (AV positives: 8/71 scanned on 10/05/2019 02:03:13)
File SHA256: 50a1c87206657dc5d98e7165d925e91e0df2a07d9b1372acdd33b5837f6d6a02 (AV positives: 1/71 scanned on 10/06/2019 15:19:01)
File SHA256: 78bdba959f5e120efca3ee7434c638377d52e96caa9f37ec2d33cc999a506ba6 (AV positives: 1/71 scanned on 10/04/2019 22:11:54)
File SHA256: 6a5010eb2537ffb0e240bb7a695da8ab754e77fd1f73c17c0ce273fd8a2b9a90 (Date: 10/01/2019 12:36:15)
File SHA256: 15e7042340a445ef257b135be03b1c71b53164b7770afd1c6492a8303bce1822 (AV positives: 1/71 scanned on 09/26/2019 07:40:08)
File SHA256: 972b83d4db5e2cbc2c380d4a82c579fc12cf2f4729f8b0b14355cb2f490914d3 (Date: 09/26/2019 14:25:30)
File SHA256: 88457fa7044313dad87c63f65aeb2965cdc3a0b834b83cd0c8a5b02221c195c0 (AV positives: 1/71 scanned on 09/23/2019 03:33:11)
File SHA256: 18ae0602d1c622df8b65f0666534714e21e7f59f06ccde9c67558579b930fb33 (Date: 09/18/2019 15:42:49)
File SHA256: bc05525713472adf835be07ca5f88b658df60d6f845c0078d1fc1b0ff19d7e97 (AV positives: 1/70 scanned on 09/08/2019 09:01:15)
File SHA256: 547b1bf3ee53b33ab3856226a848e8af45ff8f08c5135ef7e60cb12f870e0af1 (Date: 08/31/2019 20:33:22)
File SHA256: 86e613c193c8b52ca37568c500299b49c603bd06281e4947e3be58f8c750a2c4 (Date: 08/28/2019 00:51:19) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
System Destruction
-
Interacts with the primary disk partition (DR0)
- details
- "PrivacyEraser64.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x2d1400
- source
- API Call
- relevance
- 5/10
- ATT&CK ID
- T1067 (Show technique in the MITRE ATT&CK™ matrix)
-
Interacts with the primary disk partition (DR0)
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
-
"PrivacyEraser64.exe" checked file "Z:"
"PrivacyEraser64.exe" checked file "C:" - source
- API Call
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@user32.dll (Show Stream)
ExitWindowsEx@user32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "privacy-eraser-setup.exe" (Show Process)
Spawned process "privacy-eraser-setup.tmp" with commandline "/SL5="$50246
5374264
721408
C:\privacy-eraser-setup.exe"" (Show Process)
Spawned process "PrivacyEraser64.exe" with commandline "/CheckMutex" (Show Process)
Spawned process "PrivacyEraser64.exe" with commandline "/Install /RBAddOpen /RBAddErase /WEAddErase" (Show Process)
Spawned process "PrivacyEraser64.exe" (Show Process)
Spawned process "PrivacyEraser64.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Tries to access unusual system drive letters
- details
-
"PrivacyEraser64.exe" touched "K:"
"PrivacyEraser64.exe" touched "L:"
"PrivacyEraser64.exe" touched "M:"
"PrivacyEraser64.exe" touched "N:"
"PrivacyEraser64.exe" touched "O:"
"PrivacyEraser64.exe" touched "P:"
"PrivacyEraser64.exe" touched "Q:"
"PrivacyEraser64.exe" touched "R:"
"PrivacyEraser64.exe" touched "S:"
"PrivacyEraser64.exe" touched "T:"
"PrivacyEraser64.exe" touched "U:"
"PrivacyEraser64.exe" touched "V:"
"PrivacyEraser64.exe" touched "W:"
"PrivacyEraser64.exe" touched "X:"
"PrivacyEraser64.exe" touched "Y:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks for a resource fork (ADS) file
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 36
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "iexplore.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Cryptographic Related
-
Found a cryptographic related string
- details
-
"DES" (Indicator: "des"; File: "00010010-00003588.00000000.10129.4037C000.00000002.mdmp")
"rc6" (Indicator: "rc6"; File: "00010010-00003588.00000000.10129.4037C000.00000002.mdmp")
"twofish" (Indicator: "twofish"; File: "00010010-00003588.00000000.10129.4037C000.00000002.mdmp") - source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to evade analysis by sleeping many times
- details
- "PrivacyEraser64.exe" (Thread ID: 2340) slept "520" times (threshold: 500)
- source
- API Call
- relevance
- 10/10
-
Reads the active computer name
- details
-
"privacy-eraser-setup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"PrivacyEraser64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to evade analysis by sleeping many times
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/71 reputation engines marked "http://www.jrsoftware.org/ishelp/index.php" as malicious (1% detection rate)
1/71 reputation engines marked "http://isrg.trustid.ocsp.identrust.com" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LockResource@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
FindResourceW@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
LoadResource@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
SizeofResource@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"privacy-eraser-setup.tmp" read file "%WINDIR%\win.ini"
"privacy-eraser-setup.tmp" read file "%PROGRAMFILES%\desktop.ini"
"privacy-eraser-setup.tmp" read file "%APPDATA%\Mozilla\Firefox\profiles.ini"
"PrivacyEraser64.exe" read file "C:\Program Files\desktop.ini"
"PrivacyEraser64.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
- "PrivacyEraser64.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "PRIVACY ERASER"; Value: ""%PROGRAMFILES%\Cybertron\Privacy Eraser\PrivacyEraser64.exe" /Startup")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1060 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies auto-execute functionality by setting/creating a value in the registry
-
Network Related
-
Found potential IP address in binary/memory
- details
- "3.8.11.1"
- source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 162.241.252.131 on port 80 is sent without HTTP header
TCP traffic to 162.241.252.131 on port 443 is sent without HTTP header
TCP traffic to 184.24.182.162 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
- "PrivacyEraser64.exe" had access to "%LOCALAPPDATA%\Google\Chrome\User Data" (Type: "FileHandle")
- source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"C:\privacy-eraser-setup.exe" marked "%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp" for deletion
"C:\privacy-eraser-setup.exe" marked "%TEMP%\is-QPB7D.tmp" for deletion
"%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp" marked "%TEMP%\is-91OTV.tmp\PrivacyEraser64.exe" for deletion
"%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp" marked "%TEMP%\is-91OTV.tmp\_isetup\_setup64.tmp" for deletion
"%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp" marked "%TEMP%\is-91OTV.tmp\_isetup" for deletion
"%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp" marked "%TEMP%\is-91OTV.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"privacy-eraser-setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-QPB7D.tmp\privacy-eraser-setup.tmp" with delete access
"privacy-eraser-setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-QPB7D.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\is-B5SNN.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-VQCLD.tmp" with delete access
"privacy-eraser-setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Privacy Eraser\Privacy Eraser.lnk" with delete access
"privacy-eraser-setup.tmp" opened "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy Eraser\Privacy Eraser.pif" with delete access
"privacy-eraser-setup.tmp" opened "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy Eraser\Privacy Eraser.url" with delete access
"privacy-eraser-setup.tmp" opened "C:\Users\%USERNAME%\Desktop\Privacy Eraser.lnk" with delete access
"privacy-eraser-setup.tmp" opened "C:\Users\%USERNAME%\Desktop\Privacy Eraser.pif" with delete access
"privacy-eraser-setup.tmp" opened "C:\Users\%USERNAME%\Desktop\Privacy Eraser.url" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\is-GGK8O.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-9D8F7.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-0OE5N.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-MQM5G.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-QGVGM.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-9BT5Q.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-1H41O.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-8UB8K.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-B3FJ8.tmp" with delete access
"privacy-eraser-setup.tmp" opened "C:\Program Files\Cybertron\Privacy Eraser\Languages\is-JSEHK.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"PrivacyEraser64.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"PrivacyEraser64.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"PrivacyEraser64.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"PrivacyEraser64.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"PrivacyEraser64.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegOpenKeyExW
GetFileAttributesW
WriteFile
GetModuleFileNameW
UnhandledExceptionFilter
LoadLibraryExW
CreateThread
ExitThread
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetFileSize
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
FindFirstFileW
CreateFileW
LockResource
GetCommandLineW
GetModuleHandleW
FindResourceW
CreateProcessW
Sleep
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"privacy-eraser-setup.exe" wrote bytes "711109027a3b0802ab8b02007f950200fc8c0200729602006cc805001ecd05027d260502" to virtual address "0x75A507E4" (part of module "USER32.DLL")
"privacy-eraser-setup.tmp" wrote bytes "711109027a3b0802ab8b02007f950200fc8c0200729602006cc805001ecd05027d260502" to virtual address "0x75A507E4" (part of module "USER32.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b8c015b174ffe0" to virtual address "0x753236B4" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b83012b174ffe0" to virtual address "0x75EE1368" (part of module "WS2_32.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d83a3275" to virtual address "0x75330274" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b84013b174ffe0" to virtual address "0x75323AD8" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d83a0200" to virtual address "0x75324E38" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d83a0200" to virtual address "0x75324D78" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d83a3275" to virtual address "0x75330258" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b4363275" to virtual address "0x75330278" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "68130000" to virtual address "0x75EE1680" (part of module "WS2_32.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b4363275" to virtual address "0x7533025C" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d83a3275" to virtual address "0x753301FC" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d83a3275" to virtual address "0x753301E0" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b4363275" to virtual address "0x75330200" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b4360200" to virtual address "0x75324EA4" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b4363275" to virtual address "0x753301E4" (part of module "SSPICLI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "c0dfa8771cf9a777ccf8a7770d64a97700000000c011de7500000000fc3ede7500000000e013de75000000009457c27625e0a877c6e0a87700000000bc6ac17600000000cf31de75000000009319c276000000002c32de7500000000" to virtual address "0x75B91000" (part of module "NSI.DLL")
"privacy-eraser-setup.tmp" wrote bytes "d055fa75647303760000000051c1857594988575ee9c857575dc8775273e87750fb38b75000000008548de756987de750f77e075d917de75ead7df75a934de75f811de752014de750c11de75f516de755414de75ff10de753214de7500000000" to virtual address "0x73FA1000" (part of module "SHFOLDER.DLL")
"privacy-eraser-setup.tmp" wrote bytes "b4360200" to virtual address "0x75324D68" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"privacy-eraser-setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"privacy-eraser-setup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"PrivacyEraser64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 16 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 38
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API GetLogicalProcessorInformation@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
Found reference to API GetThreadPreferredUILanguages@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
Found reference to API GetLongPathNameW@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
Found reference to API SetProcessDEPPolicy@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
-
Raw size of ".bss" is zero
Raw size of ".tls" is zero - source
- Static Parser
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@kernel32.dll (Show Stream)
GetLocalTime@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
GetVersion@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
GetVersionExW@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
GetVersion@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
GetVersionExW@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
GetVersion@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
GetVersion@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
- GetUserDefaultUILanguage@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@kernel32.dll (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from privacy-eraser-setup.exe (PID: 2496) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@kernel32.dll directly followed by "cmp byte ptr [004AFC0Ch], 00h" and "je 0040A642h" (Show Stream)
Found API call GetVersion@kernel32.dll directly followed by "cmp ax, 00000600h" and "je 004A717Ah" (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp byte ptr [004AFC0Ch], 00h" and "je 0040A642h" from privacy-eraser-setup.exe (PID: 2496) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000600h" and "je 004A717Ah" from privacy-eraser-setup.exe (PID: 2496) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"privacy-eraser-setup.tmp" queries volume information of "C:\" at 00009410-00003672-00000046-193358067791
"privacy-eraser-setup.tmp" queries volume information of "%PROGRAMFILES%\Cybertron\Privacy Eraser\PrivacyEraser64.exe" at 00009410-00003672-00000046-193359719354
"privacy-eraser-setup.tmp" queries volume information of "C:\" at 00009410-00003672-00000046-206155066605
"privacy-eraser-setup.tmp" queries volume information of "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" at 00009410-00003672-00000046-206179171866
"privacy-eraser-setup.tmp" queries volume information of "C:\" at 00009410-00003672-00000046-207078339479
"privacy-eraser-setup.tmp" queries volume information of "C:\Program Files\Cybertron\Privacy Eraser\unins000.exe" at 00009410-00003672-00000046-207080199899
"PrivacyEraser64.exe" queries volume information of "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" at 00016680-00003272-00000046-247809807200
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-247852653617
"PrivacyEraser64.exe" queries volume information of "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" at 00016680-00003272-00000046-247854924517
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-247885807678
"PrivacyEraser64.exe" queries volume information of "C:\Program Files\Cybertron\Privacy Eraser\PrivacyEraser64.exe" at 00016680-00003272-00000046-247887800981
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-262463530094
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-263897625928
"PrivacyEraser64.exe" queries volume information of "C:\share" at 00016680-00003272-00000046-265110355323 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"privacy-eraser-setup.tmp" queries volume information of "C:\" at 00009410-00003672-00000046-193358067791
"privacy-eraser-setup.tmp" queries volume information of "C:\" at 00009410-00003672-00000046-206155066605
"privacy-eraser-setup.tmp" queries volume information of "C:\" at 00009410-00003672-00000046-207078339479
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-247852653617
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-247885807678
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-262463530094
"PrivacyEraser64.exe" queries volume information of "C:\" at 00016680-00003272-00000046-263897625928 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"privacy-eraser-setup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CB5AC03C-B8AD-980F-998E-51969A6DFC9F}_IS1")
"privacy-eraser-setup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\PRIVACY-ERASER-SETUP.TMP")
"privacy-eraser-setup.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\PRIVACY-ERASER-SETUP.TMP")
"privacy-eraser-setup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CB5AC03C-B8AD-980F-998E-51969A6DFC9F}_IS1")
"privacy-eraser-setup.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CB5AC03C-B8AD-980F-998E-51969A6DFC9F}_IS1")
"privacy-eraser-setup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"privacy-eraser-setup.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"privacy-eraser-setup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE"; Key: "PATH"; Value: "00000000010000004800000043003A005C00500072006F006700720061006D002000460069006C00650073005C0049006E007400650072006E006500740020004500780070006C006F007200650072003B000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/69 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"PrivacyEraser64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
-
"www.cybertronsoft.com"
"isrg.trustid.ocsp.identrust.com"
"m.addthis.com"
"ocsp.int-x3.letsencrypt.org"
"s7.addthis.com"
"v1.addthisedge.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"162.241.252.131:80"
"162.241.252.131:443"
"184.24.182.162:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains SQL queries
- details
-
"UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;"
"UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');"
"UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;"
"INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);"
"SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'"
"SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';"
"SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0" - source
- File/Memory
- relevance
- 2/10
-
Creates a writable file in a temporary directory
- details
-
"privacy-eraser-setup.exe" created file "%TEMP%\is-QPB7D.tmp\privacy-eraser-setup.tmp"
"privacy-eraser-setup.tmp" created file "%TEMP%\is-91OTV.tmp\_isetup\_setup64.tmp"
"privacy-eraser-setup.tmp" created file "%TEMP%\is-91OTV.tmp\PrivacyEraser64.exe"
"iexplore.exe" created file "%TEMP%\~DF2F85162349C6AC0B.TMP"
"iexplore.exe" created file "%TEMP%\~DF747BE0AAF6EC522C.TMP"
"iexplore.exe" created file "%TEMP%\~DFF16A816F75884D20.TMP"
"iexplore.exe" created file "%TEMP%\~DFCFB1B444271785D7.TMP"
"iexplore.exe" created file "%TEMP%\~DFFEBB2580900C7085.TMP"
"iexplore.exe" created file "%TEMP%\JavaDeployReg.log"
"iexplore.exe" created file "%TEMP%\JavaDeployReg.log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1036"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_DOWNLOAD_MUTEX"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\IsoScope_40c_IE_EarlyTabStart_0x998_Mutex"
"\Sessions\1\BaseNamedObjects\IsoScope_40c_ConnHashTable<1036>_HashTable_Mutex"
"\Sessions\1\BaseNamedObjects\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"\Sessions\1\BaseNamedObjects\IsoScope_40c_IESQMMUTEX_0_303"
"\Sessions\1\BaseNamedObjects\IsoScope_40c_IESQMMUTEX_0_331" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /products/privacy-eraser/whats-new HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.cybertronsoft.com
DNT: 1
Connection: Keep-Alive"
"GET /download/privacy-eraser/update.xml HTTP/1.1
Accept: */*
Host: www.cybertronsoft.com
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 5/10
-
Launches a browser
- details
-
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"privacy-eraser-setup.tmp" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"privacy-eraser-setup.tmp" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}")
"privacy-eraser-setup.tmp" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"privacy-eraser-setup.tmp" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"privacy-eraser-setup.tmp" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"privacy-eraser-setup.tmp" touched "Task Bar Communication" (Path: "HKCU\WOW6432NODE\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
"privacy-eraser-setup.tmp" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"privacy-eraser-setup.tmp" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"privacy-eraser-setup.tmp" touched "Network" (Path: "HKCU\WOW6432NODE\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"privacy-eraser-setup.tmp" touched "Property System Both Class Factory" (Path: "HKCU\WOW6432NODE\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TREATAS")
"privacy-eraser-setup.tmp" touched "Application Registration" (Path: "HKCU\WOW6432NODE\CLSID\{591209C7-767B-42B2-9FBA-44EE4615F2C7}\TREATAS")
"PrivacyEraser64.exe" touched "TaskScheduler class" (Path: "HKCU\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}")
"PrivacyEraser64.exe" touched "Recycle Bin" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\SHELL")
"PrivacyEraser64.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}")
"PrivacyEraser64.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}")
"PrivacyEraser64.exe" touched "Custom Destination List" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}")
"PrivacyEraser64.exe" touched "A collection of IUnknown objects that can be enumerated" (Path: "HKCU\CLSID\{2D3468C1-36A7-43B6-AC24-D3F02FD9607A}\TREATAS")
"PrivacyEraser64.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS")
"PrivacyEraser64.exe" touched "Network List Manager" (Path: "HKCU\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "iexplore.exe" (Show Process) was launched with new environment variables: "PATH="%PROGRAMFILES%\Internet Explorer;""
Process "PrivacyEraser64.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "PrivacyEraser64.exe" (Show Process) was launched with missing environment variables: "PATH"
Process "iexplore.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "iexplore.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "PrivacyEraser64.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "PrivacyEraser64.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"privacy-eraser-setup.tmp" searching for class "IEFrame"
"privacy-eraser-setup.tmp" searching for class "Shell_TrayWnd"
"PrivacyEraser64.exe" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "privacy-eraser-setup.tmp" with commandline "/SL5="$50246
5374264
721408
C:\privacy-eraser-setup.exe"" (Show Process)
Spawned process "PrivacyEraser64.exe" with commandline "/CheckMutex" (Show Process)
Spawned process "PrivacyEraser64.exe" with commandline "/Install /RBAddOpen /RBAddErase /WEAddErase" (Show Process)
Spawned process "iexplore.exe" with commandline "http://www.cybertronsoft.com/products/privacy-eraser/whats-new" (Show Process)
Spawned process "iexplore.exe" with commandline "http://www.cybertronsoft.com/products/privacy-eraser/whats-new" (Show Process)
Spawned process "PrivacyEraser64.exe" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:1036 CREDAT:275457 /prefetch:2" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:3316 CREDAT:275457 /prefetch:2" (Show Process)
Spawned process "PrivacyEraser64.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "privacy-eraser-setup.tmp" with commandline "/SL5="$50246
5374264
721408
C:\privacy-eraser-setup.exe"" (Show Process)
Spawned process "PrivacyEraser64.exe" with commandline "/CheckMutex" (Show Process)
Spawned process "PrivacyEraser64.exe" with commandline "/Install /RBAddOpen /RBAddErase /WEAddErase" (Show Process)
Spawned process "iexplore.exe" with commandline "http://www.cybertronsoft.com/products/privacy-eraser/whats-new" (Show Process)
Spawned process "iexplore.exe" with commandline "http://www.cybertronsoft.com/products/privacy-eraser/whats-new" (Show Process)
Spawned process "PrivacyEraser64.exe" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:1036 CREDAT:275457 /prefetch:2" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:3316 CREDAT:275457 /prefetch:2" (Show Process)
Spawned process "PrivacyEraser64.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA" (SHA1: 1F:A4:90:D1:D4:95:79:42:CD:23:54:5F:6E:82:3D:00:00:79:6E:A2; see report for more information)
The input sample is signed with a certificate issued by "CN=thawte Primary Root CA, OU="c 2006 thawte
Inc. - For authorized use only", OU=Certification Services Division, O="thawte
Inc.", C=US" (SHA1: D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=thawte SHA256 Code Signing CA, O="thawte
Inc.", C=US" (SHA1: A6:1B:43:AB:90:20:B3:70:EA:F6:3D:36:3E:CE:FE:93:64:4E:7C:00; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "1a56890bfe840747613d2c10f461559c9414d9f7f363d0edcdd521486e91bfec.bin" (Offset: 3619370)
- source
- Binary File
- relevance
- 5/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"privacy-eraser-setup.exe" connecting to "\ThemeApiPort"
"privacy-eraser-setup.tmp" connecting to "\ThemeApiPort"
"PrivacyEraser64.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Privacy Eraser.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Fri Oct 11 10:20:59 2019 mtime=Fri Oct 11 10:20:59 2019 atime=Sun Oct 6 16:15:24 2019 length=7092864 window=hide"
"Uninstall Privacy Eraser.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Fri Oct 11 10:20:59 2019 mtime=Fri Oct 11 10:20:59 2019 atime=Fri Oct 11 10:17:28 2019 length=2547336 window=hide"
"urlblockindex_1_.bin" has type "data"
"Privacy Eraser.lnk" has type "empty"
"LQQNQ13K.txt" has type "ASCII text"
"logo_2_.png" has type "PNG image data 178 x 22 8-bit/color RGBA non-interlaced"
"it_1_.png" has type "PNG image data 16 x 11 8-bit/color RGB non-interlaced"
"PEOBUJEOG5K0347HSQYN.temp" has type "data"
"es_2_.png" has type "PNG image data 16 x 11 8-bit/color RGB non-interlaced"
"whats-new_1_.htm" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF LF line terminators"
"is-VQCLD.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
"lg-share-en_2_.gif" has type "GIF image data version 89a 125 x 16"
"~DFF16A816F75884D20.TMP" has type "data"
"bootstrap.min_1_.js" has type "ASCII text with very long lines"
"jp_1_.png" has type "PNG image data 16 x 11 8-bit/color RGB non-interlaced"
"favicon_2_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"privacy-eraser-setup.exe" touched file "%WINDIR%\SysWOW64\en-US\KernelBase.dll.mui"
"privacy-eraser-setup.exe" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"privacy-eraser-setup.exe" touched file "C:\Windows\SysWOW64\netmsg.dll"
"privacy-eraser-setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"privacy-eraser-setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"privacy-eraser-setup.tmp" touched file "C:\Windows\Fonts\StaticCache.dat"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"privacy-eraser-setup.tmp" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\netmsg.dll"
"privacy-eraser-setup.tmp" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"privacy-eraser-setup.tmp" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\shfolder.dll"
"privacy-eraser-setup.tmp" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\imageres.dll"
"privacy-eraser-setup.tmp" touched file "C:\Windows\SysWOW64\shell32.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2"
Heuristic match: "84@qRD.NF"
Heuristic match: "k&T2/|R.Ms"
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Pattern match: "www.cybertronsoft.com"
Heuristic match: "isrg.trustid.ocsp.identrust.com"
Heuristic match: "m.addthis.com"
Heuristic match: "ocsp.int-x3.letsencrypt.org"
Heuristic match: "s7.addthis.com"
Heuristic match: "v1.addthisedge.com"
Pattern match: "http://schemas.microsoft.com/SMI/2005/Windows"
Pattern match: "http://www.cybertronsoft.com/products/privacy-eraser/"
Pattern match: "http://www.cybertronsoft.com/products/privacy-eraser/whats-new"
Pattern match: "http://schemas.microsoft.com/SMI/20"
Pattern match: "https://www.cybertronsoft.com/products/privacy-eraser/whats-new"
Pattern match: "https://www.cybertronsoft.com/css/bootstrap.min.css"
Pattern match: "https://www.cybertronsoft.com/css/style.css"
Pattern match: "https://schema.org"
Pattern match: "https://www.cybertronsoft.com/js/jquery.min.js"
Pattern match: "https://www.cybertronsoft.com/js/jquery-migrate-1.1.1.js"
Pattern match: "https://www.cybertronsoft.com/js/bootstrap.min.js"
Pattern match: "https://www.cybertronsoft.com/js/common-script.js"
Pattern match: "https://www.cybertronsoft.com"
Pattern match: "https://www.cybertronsoft.com/images/flags/us.png"
Pattern match: "https://www.cybertronsoft.com/"
Pattern match: "https://translate.google.com/translate?hl=en&tl=fr&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=de&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=it&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=ja&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=es&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=pt&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=zh-CN&u=https://www.cybertronsoft.com"
Pattern match: "https://translate.google.com/translate?hl=en&tl=zh-TW&u=https://www.cybertronsoft.com"
Pattern match: "https://www.cybertronsoft.com/products/privacy-eraser/"
Pattern match: "https://www.cybertronsoft.com/products/privacy-drive/"
Pattern match: "https://www.cybertronsoft.com/products/"
Pattern match: "https://www.cybertronsoft.com/download/"
Pattern match: "https://www.cybertronsoft.com/purchase/"
Pattern match: "https://www.cybertronsoft.com/online-help"
Pattern match: "https://www.cybertronsoft.com/support/support-center"
Pattern match: "https://www.cybertronsoft.com/company/about-us"
Pattern match: "https://www.cybertronsoft.com/company/contact-us"
Pattern match: "https://www.cybertronsoft.com/company/partners"
Pattern match: "https://www.cybertronsoft.com/company/press-center/"
Pattern match: "https://www.cybertronsoft.com/company/media-kit"
Pattern match: "https://www.cybertronsoft.com/company/newsletter"
Pattern match: "https://www.cybertronsoft.com/download/privacy-eraser-portable.zip"
Pattern match: "https://www.facebook.com/CybertronSoft"
Pattern match: "https://www.twitter.com/CybertronSoft"
Pattern match: "https://www.addthis.com/bookmark.php?v=250&pubid=CybertronSoft"
Pattern match: "https://s7.addthis.com/static/btn/v2/lg-share-en.gif"
Pattern match: "https://s7.addthis.com/js/250/addthis_widget.js#pubid=CybertronSoft"
Pattern match: "https://www.cybertronsoft.com/terms-of-use"
Pattern match: "http://getbootstrap.com"
Pattern match: "https://github.com/twbs/bootstrap/blob/master/LICENSE" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"<li>Improved Adobe Reader Touch, AntiVir Desktop, Skype App and Twitter App cleaning.</li>" (Indicator: "twitter")
"<a href="https://www.facebook.com/CybertronSoft" target="_blank">Facebook</a>" (Indicator: "facebook.com")
"<a href="https://www.twitter.com/CybertronSoft" target="_blank">Twitter</a>" (Indicator: "twitter")
"* Copyright 2011-2015 Twitter, Inc." (Indicator: "twitter")
"<Text name="TWITTER">Twitter</Text>" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "PrivacyEraser64.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"privacy-eraser-setup.tmp" opened "\Device\KsecDD"
"PrivacyEraser64.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "1a56890bfe840747613d2c10f461559c9414d9f7f363d0edcdd521486e91bfec.bin" was detected as "Borland Delphi 4.0"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
privacy-eraser-setup.exe
- Filename
- privacy-eraser-setup.exe
- Size
- 5.9MiB (6187568 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1a56890bfe840747613d2c10f461559c9414d9f7f363d0edcdd521486e91bfec
- MD5
- e3356dd3c71b8e7cfedb0636c97b728d
- SHA1
- b893bd2948156d42a12d971767b645cc14cd7a7b
- ssdeep
- 98304:0X45/jA50KGF0kzxHTxt5spaER0FkfVnDs7b//tIt2R+ncT+4LPxUTgG7a9Vh0jL:CYU9G3VTb5D627bvR+nypU97YVElZ
- imphash
- eb5bc6ff6263b364dfbfb78bdb48ed59
- authentihash
- 963abdc549355c45cf85536a176b504e5b281ef88fd591f09e5c43a5d6b9b922
- Compiler/Packer
- Borland Delphi 4.0
Version Info
- LegalCopyright
- 2002-2019 Cybertron Software Co., Ltd. All rights reserved.
- FileVersion
- 4.55.2.3261
- CompanyName
- Cybertron Software Co., Ltd.
- Comments
- This installation was built with Inno Setup.
- ProductName
- Privacy Eraser Free
- ProductVersion
- 4.55.2.3261
- FileDescription
- Privacy Eraser Free Setup
- OriginalFileName
- -
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 51.3% (.EXE) Inno Setup installer
- 20.1% (.EXE) InstallShield setup
- 19.4% (.EXE) Win32 EXE PECompact compressed (generic)
- 3.0% (.DLL) Win32 Dynamic Link Library (generic)
- 2.1% (.EXE) Win32 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Exports
Name | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | #1 | 0x4b063c |
__dbk_fcall_wrapper | #2 | 0x40d3dc |
TMethodImplementationIntercept | #3 | 0x453abc |
File Certificates
Certificate chain was successfully validated.
Download Certificate File (15KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 00:00:00 12/30/2020 23:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=thawte Primary Root CA, OU="c 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US | EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Serial: 3365500879ad73e230b9e01d0d7fac91 |
11/17/2006 00:00:00 12/30/2020 23:59:59 |
D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A 1F:A4:90:D1:D4:95:79:42:CD:23:54:5F:6E:82:3D:00:00:79:6E:A2 |
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US | CN=thawte Primary Root CA, OU="c 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US Serial: 71a0b73695ddb1afc23b2b9a18ee54cb |
12/10/2013 00:00:00 12/09/2023 23:59:59 |
87:19:53:A9:8D:41:50:C3:3C:69:A0:C5:AE:9A:68:C6 D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 00:00:00 12/29/2020 23:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN="Cybertron Software Co., Ltd", OU=Software Development Department, O="Cybertron Software Co., Ltd", L=Shenzhen, ST=Guangdong, C=CN | CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US Serial: 6bafec00e2a345c442d36011054e9156 |
04/17/2018 00:00:00 04/16/2020 23:59:59 |
92:75:2B:17:4F:7C:72:3F:0C:C4:13:04:EC:6F:2B:F5 A6:1B:43:AB:90:20:B3:70:EA:F6:3D:36:3E:CE:FE:93:64:4E:7C:00 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 10 processes in total (System Resource Monitor).
-
privacy-eraser-setup.exe
(PID: 2496)
2/81
-
privacy-eraser-setup.tmp
/SL5="$50246,5374264,721408,C:\privacy-eraser-setup.exe"
(PID: 3672)
1/71
- PrivacyEraser64.exe /CheckMutex (PID: 3588)
- PrivacyEraser64.exe /Install /RBAddOpen /RBAddErase /WEAddErase (PID: 3844)
-
iexplore.exe
http://www.cybertronsoft.com/products/privacy-eraser/whats-new
(PID: 1036)
- iexplore.exe SCODEF:1036 CREDAT:275457 /prefetch:2 (PID: 2448)
-
iexplore.exe
http://www.cybertronsoft.com/products/privacy-eraser/whats-new
(PID: 3316)
- iexplore.exe SCODEF:3316 CREDAT:275457 /prefetch:2 (PID: 3284)
- PrivacyEraser64.exe (PID: 3272)
- PrivacyEraser64.exe (PID: 3204)
-
privacy-eraser-setup.tmp
/SL5="$50246,5374264,721408,C:\privacy-eraser-setup.exe"
(PID: 3672)
1/71
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
isrg.trustid.ocsp.identrust.com
OSINT |
23.63.252.187
TTL: 20 |
- | United States |
m.addthis.com
OSINT |
72.246.84.150
TTL: 49 |
TUCOWS, INC.
Organization: Oracle Corporation Name Server: NS1.P27.DYNECT.NET Creation Date: Tue, 26 May 1998 00:00:00 GMT |
United States |
ocsp.int-x3.letsencrypt.org
OSINT |
23.63.252.169
TTL: 2086 |
eNom, Inc.
Organization: Internet Security Research Group Name Server: A9-67.AKAM.NET Creation Date: Mon, 07 Jul 2014 19:54:04 GMT |
United States |
s7.addthis.com
OSINT |
72.246.84.150
TTL: 40 |
TUCOWS, INC.
Organization: Oracle Corporation Name Server: NS1.P27.DYNECT.NET Creation Date: Tue, 26 May 1998 00:00:00 GMT |
United States |
v1.addthisedge.com
OSINT |
72.246.84.150
TTL: 3308 |
TUCOWS, INC.
Organization: Oracle Corporation Name Server: NS1.P27.DYNECT.NET Creation Date: Tue, 02 Aug 2011 00:00:00 GMT |
United States |
www.cybertronsoft.com
OSINT |
162.241.252.131
TTL: 14399 |
GoDaddy.com, LLC
Organization: Domains By Proxy, LLC Name Server: NS1.SOFTLAYER.COM Creation Date: Sun, 18 Feb 2007 12:43:43 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
162.241.252.131 |
80
TCP |
iexplore.exe PID: 3284 iexplore.exe PID: 2448 privacyeraser64.exe PID: 3272 |
United States |
162.241.252.131 |
443
TCP |
iexplore.exe PID: 3284 iexplore.exe PID: 2448 privacyeraser64.exe PID: 3272 |
United States |
184.24.182.162 |
443
TCP |
iexplore.exe PID: 3316 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
162.241.252.131:80 (www.cybertronsoft.com) | GET | www.cybertronsoft.com/products/privacy-eraser/whats-new | GET /products/privacy-eraser/whats-new HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.cybertronsoft.com
DNT: 1
Connection: Keep-Alive More Details |
162.241.252.131:80 (www.cybertronsoft.com) | GET | www.cybertronsoft.com/products/privacy-eraser/whats-new | GET /products/privacy-eraser/whats-new HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.cybertronsoft.com
DNT: 1
Connection: Keep-Alive More Details |
162.241.252.131:80 (www.cybertronsoft.com) | GET | www.cybertronsoft.com/download/privacy-eraser/update.xml | GET /download/privacy-eraser/update.xml HTTP/1.1
Accept: */*
Host: www.cybertronsoft.com
Cache-Control: no-cache More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline | Domain/IP reference | 00009252-00002496-8327-4119-004A1750 |
Extracted Strings
Extracted Files
Displaying 22 extracted file(s). The remaining 110 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
urlblockindex_1_.bin
- Size
- 16B (16 bytes)
- Type
- data
- AV Scan Result
- 0/65
- MD5
- fa518e3dfae8ca3a0e495460fd60c791
- SHA1
- e4f30e49120657d37267c0162fd4a08934800c69
- SHA256
- 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
-
-
Informative Selection 1
-
-
Privacy Eraser.lnk
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- privacy-eraser-setup.tmp (PID: 3672)
-
-
Informative 20
-
-
Privacy Eraser on the Web.url
- Size
- 79B (79 bytes)
- Runtime Process
- privacy-eraser-setup.tmp (PID: 3672)
- MD5
- c27c6462a79e654658264a647417dc25
- SHA1
- 8f1f73ef9c0690d49e2dbc339aadb5d62f353f95
- SHA256
- 49b59f220f8426cc4b3fedb4aa0d9eed01b0aff0f5ad53674d7b9c65c3d7f4e0
-
Uninstall Privacy Eraser.lnk
- Size
- 1010B (1010 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Oct 11 10:20:59 2019, mtime=Fri Oct 11 10:20:59 2019, atime=Fri Oct 11 10:17:28 2019, length=2547336, window=hide
- Runtime Process
- privacy-eraser-setup.tmp (PID: 3672)
- MD5
- e8a1fcbd9f862a010531ce1fadd035ee
- SHA1
- a56934b3191d8852d2263739398a38c10737a281
- SHA256
- 175432024a89f1434a037c4d20e3e044fe09204f2421d3b1c38ebb13aa49bce2
-
Config.xml
- Size
- 9.3KiB (9559 bytes)
- Runtime Process
- PrivacyEraser64.exe (PID: 3844)
- MD5
- 1855c9f96e80c2fe06ce295f58916fd0
- SHA1
- 4f27a5df423509a2c76cc6c266350936c61426a4
- SHA256
- c2f803ec6e5db96261306ad1ac7404aa4eaa233eaa5650f7364a0e3989bc6dcc
-
251EMXFE.txt
- Size
- 85B (85 bytes)
- Runtime Process
- iexplore.exe (PID: 3284)
- MD5
- a52345aa4c1f219c358af81cebcf6c01
- SHA1
- 112a64934a6c032e3089b178d2034eb584adc6b2
- SHA256
- 2eaef90c178e5011eceb03083eb15d04378f7b13218655d14ec99d8c187d77b7
-
2R50ZXDA.txt
- Size
- 76B (76 bytes)
- Runtime Process
- iexplore.exe (PID: 3284)
- MD5
- cbc32eb1bcd9f8e068423cbec603ce5c
- SHA1
- 02eb76bd782844361294647f8008f6368196b85e
- SHA256
- ef9970a3d8868acaefd383bd815a64146ea4e832a5d03270c5c4382c615d043c
-
78SN4XJ5.txt
- Size
- 66B (66 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 5f80d650ddb5f95f2f2280caf6c04e39
- SHA1
- 9c76c74ff616e32ea8cf9815d6efb584e0e9788a
- SHA256
- f120c2ae6cce1276d57f4ace582a6a9307c416a56fdeb40297594fd378f12c66
-
G8TWI3NL.txt
- Size
- 183B (183 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- 59b5fdb439c0f48c4e2773d0d2b60313
- SHA1
- 729149f198e820d6ef31f0ff5c97c0320a4a07b9
- SHA256
- fc153b900558c482be40630713bd0cad8dc227327e143982c9269bffff981553
-
H84IL123.txt
- Size
- 186B (186 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- a02312e0ac49ab7d804a2294b4261c18
- SHA1
- 9a6b3b0b651192a20e9dddf4c36d75f38995d2a5
- SHA256
- 72deef2fdb20f5b73ec925648b8cc1e225a540f00077a4271e79a120eeab90f7
-
HPDWFPG0.txt
- Size
- 516B (516 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- f8ba60987a6e9c7d90f5efae49d020fe
- SHA1
- 80d70508b990971856dbfdb0eb5ce122cd6dd291
- SHA256
- f02939d2397337786555a7b056f508b42a13e4c09cc6ce973eadf54e4151c25d
-
IA3N1SEY.txt
- Size
- 186B (186 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- a02312e0ac49ab7d804a2294b4261c18
- SHA1
- 9a6b3b0b651192a20e9dddf4c36d75f38995d2a5
- SHA256
- 72deef2fdb20f5b73ec925648b8cc1e225a540f00077a4271e79a120eeab90f7
-
LQQNQ13K.txt
- Size
- 147B (147 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- iexplore.exe (PID: 3284)
- MD5
- 55c5456fe22826b691d7501ba462b922
- SHA1
- 0e6f452250e562ca0d182c21bd8264c3826ead23
- SHA256
- d5c807ae5ba793087fe55709ea0a56c79f71bbd8c10cabadf25965e196ea3b2e
-
LR17FQCH.txt
- Size
- 186B (186 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- 67c5acf1c5618cdb00da64c71f40e24a
- SHA1
- cd10144f77ed94818701aa84670d71157b7253b7
- SHA256
- 568d4333c3edb73158640797306291ca793c86cb006b3e466078564c86f00a23
-
MCGS8MWM.txt
- Size
- 76B (76 bytes)
- Runtime Process
- iexplore.exe (PID: 3284)
- MD5
- cbc32eb1bcd9f8e068423cbec603ce5c
- SHA1
- 02eb76bd782844361294647f8008f6368196b85e
- SHA256
- ef9970a3d8868acaefd383bd815a64146ea4e832a5d03270c5c4382c615d043c
-
OIG0EAAY.txt
- Size
- 439B (439 bytes)
- Runtime Process
- iexplore.exe (PID: 1036)
- MD5
- 63626492604b82b0d2c13ff1526d18a8
- SHA1
- 7a2bbc00f3c550cf0bd566fa478e320ffc2a628b
- SHA256
- 9a612c761fa49f0d97265b155f4bb85aeaf1728f1efa565d10863e0194738ee9
-
PBAJ57Q4.txt
- Size
- 439B (439 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 63626492604b82b0d2c13ff1526d18a8
- SHA1
- 7a2bbc00f3c550cf0bd566fa478e320ffc2a628b
- SHA256
- 9a612c761fa49f0d97265b155f4bb85aeaf1728f1efa565d10863e0194738ee9
-
Q8WB0PHN.txt
- Size
- 182B (182 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- d2d4ae2c1622b59b28f9fe54c388fad7
- SHA1
- fb55c5dcd86154accd2efbb3391d56f3e46e9585
- SHA256
- 0c6a33c5beefa211d14500e79c7794ae22022a69975729dd7ac9370d278e3894
-
T62X96WM.txt
- Size
- 181B (181 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- f90061bcbe86c6edc92aa3f07184cd2d
- SHA1
- 85ab0d3b11f622d44258dd7479fac3c00cdd5c50
- SHA256
- 3ec0af0c1baaabdf7e1648084a9718308a8775d2b14035da4666e2d4aa06832e
-
TO0F07XX.txt
- Size
- 186B (186 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- b2a4944656fafc7beb7d7a5970784ec7
- SHA1
- f0418de8d8c1761524c8bb8203071fc98e2e8a1b
- SHA256
- e865daf984091458fa098a6e7ee50f780832ccfcd89bb96e8578c9229e66ce18
-
UHJPJGI6.txt
- Size
- 160B (160 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- acfda6b54d9a90d0107cfac7c1c88623
- SHA1
- 2d8bd016c212794add3aacfb7f58ebe58106ee64
- SHA256
- 00c6b0a48e49838ba4d3631fa12c982c0059c196f77fccc3a6aac92387191570
-
W96C1TNM.txt
- Size
- 257B (257 bytes)
- Runtime Process
- iexplore.exe (PID: 2448)
- MD5
- e4397a8297de69dbb5525356c5ed4312
- SHA1
- ccccc3082180794d4c6e297d83410334ae4d96df
- SHA256
- b9b033d46706bc823f5ba571923e7359fa11d81dd824099cab3595cddd16034b
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for iexplore.exe (PID: 1036)
- Not all file accesses are visible for iexplore.exe (PID: 2448)
- Not all file accesses are visible for iexplore.exe (PID: 3284)
- Not all file accesses are visible for iexplore.exe (PID: 3316)
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report