Attempts to block SafeBoot use by removing registry keys Show sources
registry_delete | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option |
The binary likely contains encrypted or compressed data. Show sources
packer_section | name: .rsrc, entropy: 7.91, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00077c00, virtual_size: 0x00077bd1 |
Collects information to fingerprint the system Show sources
registry_read | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGUID |
Creates RWX memory Show sources
injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Attempts to interact with an Alternate Data Stream (ADS) Show sources
file_query | C:\Users\user\AppData\Local\Temp\c33440efd5bd9376b62e2ce8fd4c67c3d5e404e8.exe:typelib |
A process attempted to delay the analysis task. Show sources
api_process_name | WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds |
Detects Sandboxie through the presence of a library Show sources
file_query | SbieDll |
Detects VirtualBox through the presence of a registry key Show sources
registry_query | HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__ |
Checks the version of Bios, possibly for anti-virtualization Show sources
registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion |