Attempts to block SafeBoot use by removing registry keys Show sources
| registry_delete | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option |
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .text, entropy: 7.87, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000aee00, virtual_size: 0x000aed98 |
| packer_section | name: .rsrc, entropy: 7.58, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00002600, virtual_size: 0x00002548 |
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Harvests credentials from local FTP client softwares Show sources
| file | C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml |
| file | C:\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt |
| file | C:\Users\user\AppData\Local\VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt |
| file | C:\Users\user\AppData\Local\VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt |
| file | C:\Program Files (x86)\FTP Commander\Ftplist.txt |
| file | C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect |
| file | C:\Users\user\AppData\Roaming\FTPGetter\servers.xml |
| file | C:\cftp\Ftplist.txt |
| key | HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites |
Harvests information related to installed mail clients Show sources
| file | C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Executed a process and injected code into it, probably while unpacking Show sources
| code_injection | 1d78518cc76abf62a24da3c94f1f349191ae702f.exe(2576) -> 1d78518cc76abf62a24da3c94f1f349191ae702f.exe(2936) |
Attempts to execute a powershell command with suspicious parameter/s Show sources
| b64_encoded | Uses a Base64 encoded command value |
A process attempted to delay the analysis task. Show sources
| api_process_name | 1d78518cc76abf62a24da3c94f1f349191ae702f.exe tried to sleep 312 seconds, actually delayed analysis time by 0 seconds |
Checks the CPU name from registry, possibly for anti-virtualization Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString |