Reads data out of its own binary image Show sources
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x00000000, length: 0x00001000 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x00000080, length: 0x00000200 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x00000178, length: 0x00000200 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x000a9730, length: 0x00000200 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x000a974c, length: 0x00000200 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x000a9768, length: 0x00000200 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x000a9784, length: 0x00000200 |
| api_process_name | process: 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe, pid: 3004, offset: 0x000a97a0, length: 0x00000200 |
Attempts to block SafeBoot use by removing registry keys Show sources
| registry_delete | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option |
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .text, entropy: 7.39, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000acc00, virtual_size: 0x000acba0 |
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Harvests credentials from local FTP client softwares Show sources
| file | C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml |
| file | C:\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt |
| file | C:\Users\user\AppData\Local\VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt |
| file | C:\Users\user\AppData\Local\VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt |
| file | C:\Program Files (x86)\FTP Commander\Ftplist.txt |
| file | C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect |
| file | C:\Users\user\AppData\Roaming\FTPGetter\servers.xml |
| file | C:\cftp\Ftplist.txt |
| key | HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites |
Harvests information related to installed mail clients Show sources
| file | C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password |
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password |
| key | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
| key | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Executed a process and injected code into it, probably while unpacking Show sources
| code_injection | 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe(2360) -> 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe(3004) |
Attempts to execute a powershell command with suspicious parameter/s Show sources
| b64_encoded | Uses a Base64 encoded command value |
A process attempted to delay the analysis task. Show sources
| api_process_name | 29c8d201060f864bd41f4c57c767241e2f57ea9b.exe tried to sleep 399 seconds, actually delayed analysis time by 0 seconds |
Detects VirtualBox through the presence of a file Show sources
| file_query | C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe |
Attempts to repeatedly call a single API many times in order to delay analysis time Show sources
| api_process_name | services.exe (460) called API GetSystemTimeAsFileTime 5865654 times |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Roaming\NionjZ.exe |
Attempts to identify installed AV products by installation directory Show sources
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\SbieCtrl.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Windows\Installer\SandboxieInstall64.exe |