The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: "`j+"t\\x15, entropy: 7.67, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00000074 |
| packer_section | name: .text, entropy: 7.99, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x001f1000, virtual_size: 0x001f0fbc |
| packer_section | name: .\x11UN]M6\x7f, entropy: 7.82, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00005200, virtual_size: 0x00005172 |
Reads data out of its own binary image Show sources
| api_process_name | process: 997a45a3707dd6ac76765664503576d3f6a37cb3.exe, pid: 1164, offset: 0x00000000, length: 0x00001000 |
| api_process_name | process: 997a45a3707dd6ac76765664503576d3f6a37cb3.exe, pid: 1164, offset: 0x00000000, length: 0x001f6c00 |
| api_process_name | process: 997a45a3707dd6ac76765664503576d3f6a37cb3.exe, pid: 1164, offset: 0x00000080, length: 0x00000200 |
| api_process_name | process: 997a45a3707dd6ac76765664503576d3f6a37cb3.exe, pid: 1164, offset: 0x001f6c00, length: 0x00000010 |
Anomalous binary characteristics Show sources
| static_pe_section_name | Unprintable characters found in section name |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Local\Temp\4E07515B.dll |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |