Reads data out of its own binary image Show sources
| self_read | process: 54f7533b1a92b258e7cd1a93f4fcb1a654d121b1.exe, pid: 1932, offset: 0x00000000, length: 0x0012c000 |
| self_read | process: 54f7533b1a92b258e7cd1a93f4fcb1a654d121b1.exe, pid: 1932, offset: 0x001833e4, length: 0x00000004 |
Attempts to block SafeBoot use by removing registry keys Show sources
| file | H |
| file | K |
| file | E |
| file | Y |
| file | _ |
| file | L |
| file | O |
| file | C |
| file | A |
| file | L |
| file | _ |
| file | M |
| file | A |
| file | C |
| file | H |
| file | I |
| file | N |
| file | E |
| file | \ |
| file | S |
| file | Y |
| file | S |
| file | T |
| file | E |
| file | M |
| file | \ |
| file | C |
| file | u |
| file | r |
| file | r |
| file | e |
| file | n |
| file | t |
| file | C |
| file | o |
| file | n |
| file | t |
| file | r |
| file | o |
| file | l |
| file | S |
| file | e |
| file | t |
| file | \ |
| file | C |
| file | o |
| file | n |
| file | t |
| file | r |
| file | o |
| file | l |
| file | \ |
| file | S |
| file | a |
| file | f |
| file | e |
| file | b |
| file | o |
| file | o |
| file | t |
| file | \ |
| file | O |
| file | p |
| file | t |
| file | i |
| file | o |
| file | n |
The binary likely contains encrypted or compressed data. Show sources
| section | name: .rsrc, entropy: 7.52, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000bf000, virtual_size: 0x000bed70 |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Attempts to interact with an Alternate Data Stream (ADS) Show sources
| file | C:\Users\user\AppData\Local\Temp\54f7533b1a92b258e7cd1a93f4fcb1a654d121b1.exe:tmp |
Tries to unhook or modify Windows functions monitored by Cuckoo Show sources
| unhook | function_name: NtCreateUserProcess, type: modification |
Spoofs its process name and/or associated pathname to appear as a legitimate process Show sources
| modified_path | C:\Users\user\AppData\Local\Temp\____________________________________________ | modified_name | ____________________________________________ | original_name | 54f7533b1a92b258e7cd1a93f4fcb1a654d121b1.exe | original_path | C:\Users\user\AppData\Local\Temp\54f7533b1a92b258e7cd1a93f4fcb1a654d121b1.exe |