The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .data, entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00029800, virtual_size: 0x01728d8c |
Collects information to fingerprint the system Show sources
| registry_read | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId |
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies |
| file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\cookies.sqlite |
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies |
A process attempted to delay the analysis task. Show sources
| api_process_name | e541b15427e08d8c0ea7bb03080e6341dba1672f.exe tried to sleep 1145 seconds, actually delayed analysis time by 0 seconds |
| api_process_name | WmiPrvSE.exe tried to sleep 661 seconds, actually delayed analysis time by 0 seconds |
Checks the CPU name from registry, possibly for anti-virtualization Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Attempts to block SafeBoot use by removing registry keys Show sources
| registry_delete | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option |