Windows Analysis Report avz.exe

Source: avz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E718 FindFirstFileW,FindClose,	0_2_0040E718
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E14C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040E14C
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424B74 FindFirstFileW,FindClose,	0_2_00424B74
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424D58 FindFirstFileW,FindClose,	0_2_00424D58

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00422AAC GetLogicalDriveStringsW,QueryDosDeviceW,

Detected potential crypto function

Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://whitelist.kaspersky.com/application?MD5=
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.kaspersky.ru/
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.z-oleg.com/secur/avz/report.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.z-oleg.com/secur/avz_up5/
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://z-oleg.com/secur/avz/
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://z-oleg.com/secur/avz/uploadvir.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://z-oleg.com/secur/avz_doc/
Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nova.rambler.ru/search?query=
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nova.rambler.ru/search?query=U
Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.ru/search?hl=ru&q=
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.ru/search?hl=ru&q=U
Source: avz.exe	String found in binary or memory: https://www.kaspersky.com/
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.kaspersky.com/U
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.kaspersky.com/https://www.kaspersky.ru/U
Source: avz.exe	String found in binary or memory: https://www.kaspersky.ru/
Source: avz.exe	String found in binary or memory: https://www.z-oleg.com/secur/avz/report.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.z-oleg.com/secur/avz/report.phpU
Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.z-oleg.com/secur/avz_up5/
Source: avz.exe	String found in binary or memory: https://z-oleg.com/secur/avz
Source: avz.exe	String found in binary or memory: https://z-oleg.com/secur/avz/upload_qr.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://z-oleg.com/secur/avz/upload_qr.phpU
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://z-oleg.com/secur/avzU
Source: avz.exe	String found in binary or memory: https://z-oleg.com/secur/avz_doc/
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://z-oleg.com/secur/avz_doc/U

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_004412E8		0_2_004412E8
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040CBA4		0_2_0040CBA4

Enables driver privileges

Source: C:\Users\user\Desktop\avz.exe

Process token adjusted: Load Driver

PE file contains executable resources (Code or Archives)

Source: avz.exe	Static PE information: Resource name: RT_BITMAP type: 68K BCS executable
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Sample file is different than original file name gathered from version info

Source: avz.exe	Binary or memory string: OriginalFilename vs avz.exe
Source: avz.exe, 00000000.00000002.2859328721.000000000A533000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs avz.exe
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs avz.exe
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameU vs avz.exe

Source: avz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: avz.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9887729595035105

Source: classification engine

Classification label: sus25.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00425874 GetDiskFreeSpaceW,

0_2_00425874

Source: C:\Users\user\Desktop\avz.exe

File created: C:\Users\user\Desktop\BASE

Source: Yara match	File source: 0.2.avz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\avz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\avz.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\avz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: avz.exe	String found in binary or memory: NATS-SEFI-ADD
Source: avz.exe	String found in binary or memory: NATS-DANO-ADD
Source: avz.exe	String found in binary or memory: </InstalledProg>
Source: avz.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: avz.exe	String found in binary or memory: jp-ocr-b-add
Source: avz.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: avz.exe	String found in binary or memory: jp-ocr-hand-add
Source: avz.exe	String found in binary or memory: ISO_6937-2-add
Source: avz.exe	String found in binary or memory: MAIN-START
Source: avz.exe	String found in binary or memory: switch></addop><mulop><switch><char text="*" add="op"/><char text="/" add="op"/><keyword text="DIV" add="op" addtext="div"/><keywo

Source: C:\Users\user\Desktop\avz.exe

File read: C:\Users\user\Desktop\avz.exe

Source: C:\Users\user\Desktop\avz.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: C:\Users\user\Desktop\avz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Users\user\Desktop\avz.exe

Window found: window name: TComboBox

Uses code obfuscation techniques (call, push, ret)

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: avz.exe

Static file information: File size 1572352 > 1048576

Source: avz.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x175e00

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043A25C push ecx; mov dword ptr [esp], ecx	0_2_0043A25F
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00430204 push 004302EFh; ret	0_2_004302E7
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0046835C push ecx; mov dword ptr [esp], edx	0_2_0046835D
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0046730C push ecx; mov dword ptr [esp], ecx	0_2_00467310
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0042A448 push 0042A4E1h; ret	0_2_0042A4D9
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0046343C push ecx; mov dword ptr [esp], ecx	0_2_00463440
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0041C4E8 push 0041C520h; ret	0_2_0041C518
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0041048C push 0041050Fh; ret	0_2_00410507
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466510 push ecx; mov dword ptr [esp], edx	0_2_00466511
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466520 push ecx; mov dword ptr [esp], edx	0_2_00466521
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00465530 push ecx; mov dword ptr [esp], ecx	0_2_00465534
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_008335F4 push ecx; mov dword ptr [esp], edx	0_2_008335F5
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466604 push ecx; mov dword ptr [esp], ecx	0_2_00466608
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_004686F8 push ecx; mov dword ptr [esp], edx	0_2_004686F9
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00464840 push ecx; mov dword ptr [esp], ecx	0_2_00464844
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00467828 push ecx; mov dword ptr [esp], edx	0_2_00467829
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00462888 push 004628DEh; ret	0_2_004628D6
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466978 push ecx; mov dword ptr [esp], edx	0_2_00466979
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466988 push ecx; mov dword ptr [esp], edx	0_2_00466989
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466A6C push ecx; mov dword ptr [esp], ecx	0_2_00466A70
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00465A2C push ecx; mov dword ptr [esp], eax	0_2_00465A2E
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043EB78 push ecx; mov dword ptr [esp], eax	0_2_0043EB79
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00467B78 push ecx; mov dword ptr [esp], edx	0_2_00467B79
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043DB14 push ecx; mov dword ptr [esp], eax	0_2_0043DB15
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00462C10 push ecx; mov dword ptr [esp], edx	0_2_00462C11
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00425C18 push ecx; mov dword ptr [esp], ecx	0_2_00425C1B
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00468D5C push ecx; mov dword ptr [esp], edx	0_2_00468D5D
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00465DF4 push ecx; mov dword ptr [esp], edx	0_2_00465DF5
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466DF0 push ecx; mov dword ptr [esp], edx	0_2_00466DF1
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466ED4 push ecx; mov dword ptr [esp], ecx	0_2_00466ED8
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043CED0 push 0043CF27h; ret	0_2_0043CF1F

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: avz.exe	Binary or memory string: KeServiceDescriptorTable
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\avz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\avz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\avz.exe

API coverage: 9.0 %

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E718 FindFirstFileW,FindClose,	0_2_0040E718
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E14C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040E14C
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424B74 FindFirstFileW,FindClose,	0_2_00424B74
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424D58 FindFirstFileW,FindClose,	0_2_00424D58

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00422AAC GetLogicalDriveStringsW,QueryDosDeviceW,

Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: avz.exe, 00000000.00000002.2858364688.0000000001B53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Pro
Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Enables debug privileges

Source: C:\Users\user\Desktop\avz.exe

Process token adjusted: Debug

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\avz.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_0040E850
Source: C:\Users\user\Desktop\avz.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0040DCF0
Source: C:\Users\user\Desktop\avz.exe	Code function: GetLocaleInfoW,	0_2_00429DD8
Source: C:\Users\user\Desktop\avz.exe	Code function: GetLocaleInfoW,	0_2_00429E24

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00428164 GetLocalTime,

0_2_00428164

Source: C:\Users\user\Desktop\avz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: avz.exe, 00000000.00000002.2858603420.000000000546A000.00000004.00001000.00020000.00000000.sdmp, avz.exe, 00000000.00000002.2858364688.0000000001B10000.00000004.00000020.00020000.00000000.sdmp, avz.exe, 00000000.00000002.2858603420.0000000005478000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\avz.exe
Source: avz.exe, 00000000.00000002.2857267956.00000000008E6000.00000040.00000001.01000000.00000003.sdmp, avz.exe, 00000000.00000002.2858364688.0000000001B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avz.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: avz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E718 FindFirstFileW,FindClose,	0_2_0040E718
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E14C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040E14C
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424B74 FindFirstFileW,FindClose,	0_2_00424B74
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424D58 FindFirstFileW,FindClose,	0_2_00424D58

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00422AAC GetLogicalDriveStringsW,QueryDosDeviceW,

Detected potential crypto function

Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://whitelist.kaspersky.com/application?MD5=
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.kaspersky.ru/
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.z-oleg.com/secur/avz/report.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.z-oleg.com/secur/avz_up5/
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://z-oleg.com/secur/avz/
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://z-oleg.com/secur/avz/uploadvir.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://z-oleg.com/secur/avz_doc/
Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nova.rambler.ru/search?query=
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nova.rambler.ru/search?query=U
Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.ru/search?hl=ru&q=
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.ru/search?hl=ru&q=U
Source: avz.exe	String found in binary or memory: https://www.kaspersky.com/
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.kaspersky.com/U
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.kaspersky.com/https://www.kaspersky.ru/U
Source: avz.exe	String found in binary or memory: https://www.kaspersky.ru/
Source: avz.exe	String found in binary or memory: https://www.z-oleg.com/secur/avz/report.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.z-oleg.com/secur/avz/report.phpU
Source: avz.exe, avz.exe, 00000000.00000002.2857267956.0000000000960000.00000040.00000001.01000000.00000003.sdmp, avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.z-oleg.com/secur/avz_up5/
Source: avz.exe	String found in binary or memory: https://z-oleg.com/secur/avz
Source: avz.exe	String found in binary or memory: https://z-oleg.com/secur/avz/upload_qr.php
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://z-oleg.com/secur/avz/upload_qr.phpU
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://z-oleg.com/secur/avzU
Source: avz.exe	String found in binary or memory: https://z-oleg.com/secur/avz_doc/
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://z-oleg.com/secur/avz_doc/U

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_004412E8		0_2_004412E8
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040CBA4		0_2_0040CBA4

Enables driver privileges

Source: C:\Users\user\Desktop\avz.exe

Process token adjusted: Load Driver

PE file contains executable resources (Code or Archives)

Source: avz.exe	Static PE information: Resource name: RT_BITMAP type: 68K BCS executable
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: avz.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Sample file is different than original file name gathered from version info

Source: avz.exe	Binary or memory string: OriginalFilename vs avz.exe
Source: avz.exe, 00000000.00000002.2859328721.000000000A533000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs avz.exe
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs avz.exe
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameU vs avz.exe

Source: avz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: avz.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9887729595035105

Source: classification engine

Classification label: sus25.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00425874 GetDiskFreeSpaceW,

0_2_00425874

Source: C:\Users\user\Desktop\avz.exe

File created: C:\Users\user\Desktop\BASE

Source: Yara match	File source: 0.2.avz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\avz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\avz.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\avz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: avz.exe	String found in binary or memory: NATS-SEFI-ADD
Source: avz.exe	String found in binary or memory: NATS-DANO-ADD
Source: avz.exe	String found in binary or memory: </InstalledProg>
Source: avz.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: avz.exe	String found in binary or memory: jp-ocr-b-add
Source: avz.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: avz.exe	String found in binary or memory: jp-ocr-hand-add
Source: avz.exe	String found in binary or memory: ISO_6937-2-add
Source: avz.exe	String found in binary or memory: MAIN-START
Source: avz.exe	String found in binary or memory: switch></addop><mulop><switch><char text="*" add="op"/><char text="/" add="op"/><keyword text="DIV" add="op" addtext="div"/><keywo

Source: C:\Users\user\Desktop\avz.exe

File read: C:\Users\user\Desktop\avz.exe

Source: C:\Users\user\Desktop\avz.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: C:\Users\user\Desktop\avz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Users\user\Desktop\avz.exe

Window found: window name: TComboBox

Uses code obfuscation techniques (call, push, ret)

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: avz.exe

Static file information: File size 1572352 > 1048576

Source: avz.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x175e00

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043A25C push ecx; mov dword ptr [esp], ecx	0_2_0043A25F
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00430204 push 004302EFh; ret	0_2_004302E7
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0046835C push ecx; mov dword ptr [esp], edx	0_2_0046835D
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0046730C push ecx; mov dword ptr [esp], ecx	0_2_00467310
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0042A448 push 0042A4E1h; ret	0_2_0042A4D9
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0046343C push ecx; mov dword ptr [esp], ecx	0_2_00463440
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0041C4E8 push 0041C520h; ret	0_2_0041C518
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0041048C push 0041050Fh; ret	0_2_00410507
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466510 push ecx; mov dword ptr [esp], edx	0_2_00466511
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466520 push ecx; mov dword ptr [esp], edx	0_2_00466521
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00465530 push ecx; mov dword ptr [esp], ecx	0_2_00465534
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_008335F4 push ecx; mov dword ptr [esp], edx	0_2_008335F5
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466604 push ecx; mov dword ptr [esp], ecx	0_2_00466608
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_004686F8 push ecx; mov dword ptr [esp], edx	0_2_004686F9
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00464840 push ecx; mov dword ptr [esp], ecx	0_2_00464844
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00467828 push ecx; mov dword ptr [esp], edx	0_2_00467829
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00462888 push 004628DEh; ret	0_2_004628D6
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466978 push ecx; mov dword ptr [esp], edx	0_2_00466979
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466988 push ecx; mov dword ptr [esp], edx	0_2_00466989
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466A6C push ecx; mov dword ptr [esp], ecx	0_2_00466A70
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00465A2C push ecx; mov dword ptr [esp], eax	0_2_00465A2E
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043EB78 push ecx; mov dword ptr [esp], eax	0_2_0043EB79
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00467B78 push ecx; mov dword ptr [esp], edx	0_2_00467B79
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043DB14 push ecx; mov dword ptr [esp], eax	0_2_0043DB15
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00462C10 push ecx; mov dword ptr [esp], edx	0_2_00462C11
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00425C18 push ecx; mov dword ptr [esp], ecx	0_2_00425C1B
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00468D5C push ecx; mov dword ptr [esp], edx	0_2_00468D5D
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00465DF4 push ecx; mov dword ptr [esp], edx	0_2_00465DF5
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466DF0 push ecx; mov dword ptr [esp], edx	0_2_00466DF1
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00466ED4 push ecx; mov dword ptr [esp], ecx	0_2_00466ED8
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0043CED0 push 0043CF27h; ret	0_2_0043CF1F

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection

May modify the system service descriptor table (often done to hook functions)

Source: avz.exe	Binary or memory string: KeServiceDescriptorTable
Source: avz.exe, 00000000.00000002.2857267956.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: KeServiceDescriptorTable

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\avz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\avz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\avz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\avz.exe

API coverage: 9.0 %

Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E718 FindFirstFileW,FindClose,	0_2_0040E718
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_0040E14C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040E14C
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424B74 FindFirstFileW,FindClose,	0_2_00424B74
Source: C:\Users\user\Desktop\avz.exe	Code function: 0_2_00424D58 FindFirstFileW,FindClose,	0_2_00424D58

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00422AAC GetLogicalDriveStringsW,QueryDosDeviceW,

Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: avz.exe, 00000000.00000002.2858364688.0000000001B53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Pro
Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: avz.exe, 00000000.00000002.2858364688.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Enables debug privileges

Source: C:\Users\user\Desktop\avz.exe

Process token adjusted: Debug

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\avz.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_0040E850
Source: C:\Users\user\Desktop\avz.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0040DCF0
Source: C:\Users\user\Desktop\avz.exe	Code function: GetLocaleInfoW,	0_2_00429DD8
Source: C:\Users\user\Desktop\avz.exe	Code function: GetLocaleInfoW,	0_2_00429E24

Source: C:\Users\user\Desktop\avz.exe

Code function: 0_2_00428164 GetLocalTime,

0_2_00428164

Source: C:\Users\user\Desktop\avz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid