Advanced File Analysis System

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: .rsrc, entropy: 7.01, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00031c00, virtual_size: 0x00031bd0

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 61adaa1e33defc6220507b83b910c562c63f014c.exe, pid: 2476, offset: 0x0005c314, length: 0x001115c5
api_process_name	process: 61adaa1e33defc6220507b83b910c562c63f014c.exe, pid: 2476, offset: 0x0016d9ea, length: 0x00039e7c
api_process_name	process: 61adaa1e33defc6220507b83b910c562c63f014c.tmp, pid: 2560, offset: 0x00000000, length: 0x000abe00

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped

C:\Users\user\AppData\Local\Temp\is-0KU8E.tmp\61adaa1e33defc6220507b83b910c562c63f014c.tmp

File Name: SimplyWatch_3142637754.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 61adaa1e33defc6220507b83b910c562c63f014c

MD5: 332d9f2a17a88c50be5910c449fb6317