Attempts to repeatedly call a single API many times in order to delay analysis time
- Spam:
- cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe (1348) called API __exception__ 30849 times
- Spam:
- cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe (3848) called API __exception__ 25871 times
- Spam:
- explorer.exe (1076) called API GetSystemMetrics 89301 times
- Spam:
- explorer.exe (1076) called API GetKeyState 10277 times
- Spam:
- cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe (2376) called API __exception__ 30849 times
- Spam:
- FD5FC1C6983.exe (2140) called API GetSystemTimeAsFileTime 19532 times
- Spam:
- FD5FC1C6983.exe (2680) called API GetSystemTimeAsFileTime 32625 times
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task.
- Description:
- FD5FC1C6983.exe tried to sleep 4948 seconds, actually delayed analysis time by 4948 seconds
- Description:
- explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
Tries to suspend Cuckoo threads to prevent logging of malicious activity
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
PID |
API |
Arguments |
2748 |
GlobalMemoryStatusEx |
N/A |
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
PID |
API |
Arguments |
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5231575040
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5213847552
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5213782016
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5213347840
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5213274112
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5209874432
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5209186304
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
1076 |
GetDiskFreeSpaceExW |
- total_number_of_free_bytes:
- 0
- free_bytes_available:
- 5209030656
- root_path:
- C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer
- total_number_of_bytes:
- 0
|
Checks adapter addresses which can be used to detect virtual network interfaces
PID |
API |
Arguments |
2696 |
GetAdaptersAddresses |
- flags:
- 0
- family:
- 0
|
2696 |
GetAdaptersAddresses |
- flags:
- 0
- family:
- 0
|
Attempts to modify browser security settings
- Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FD5FC1C6983.exe
Tries to locate where the browsers are installed
- File:
- C:\Program Files (x86)\Mozilla Firefox\FD5FC1C6983.exe
Attempts to modify proxy settings
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Creates executable files on the filesystem
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\BEE5FCB2B52\ACDCmpc8v.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\G6E5E42C5836\7FD5EuwX4.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\ID290953\D96uINGF.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\B57B91861C6\B336ZSCjK.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\G6E5E42C5836\E0D2aW3eC.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\CFEB7D\1B79e16ts.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D339F8C1A\27DFXsf6.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\G6E5E42C5836\FF3DE7aJt.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\DD267FC3\C3538pi0q.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\B1F3838\5B4EZV8gK.dll
- File:
- C:\Program Files (x86)\Mozilla Firefox\FD5FC1C6983.exe
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\GA809FE\2BEDcVUmN.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\F1860EC\A280yun5v.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\E34D0699A\DD93XTJbU.exe
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\A74EBF\F8E7vcVnd.dll
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\D0BE20\EB69357FC1F9\E714qmHuS.dll
- File:
- C:\Users\Virtual\Desktop\cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.lnk
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\C6C2D7479C2D\CE63yun5y.dll
Reads data out of its own binary image
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 2576, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: FD5FC1C6983.exe, pid: 2696, offset: 0x00000000, length: 0x00000138
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 2748, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: FD5FC1C6983.exe, pid: 2140, offset: 0x00000000, length: 0x00000138
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 2176, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: FD5FC1C6983.exe, pid: 1812, offset: 0x00000000, length: 0x00000138
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 936, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: FD5FC1C6983.exe, pid: 2680, offset: 0x00000000, length: 0x00000138
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 2936, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: FD5FC1C6983.exe, pid: 2100, offset: 0x00000000, length: 0x00000138
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 1348, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 2376, offset: 0x00000000, length: 0x00f78000
- Self Read:
- process: FD5FC1C6983.exe, pid: 3364, offset: 0x00000000, length: 0x00000138
- Self Read:
- process: cbb006846738e71d607714cc3daa16475f04c8e725025a9ba5cbb52785ab959c.exe, pid: 3616, offset: 0x00000000, length: 0x00f78000
One or more of the buffers contains an embedded PE file
- Buffer:
- Buffer with sha1: 669268b618c6914f89957190d48ee64e8948b407
Installs an hook procedure to monitor for mouse events
PID |
API |
Arguments |
2696 |
SetWindowsHookExW |
- thread_identifier:
- 2700
- callback_function:
- 0x766a3e83
- hook_identifier:
- 7
- module_address:
- 0x00000000
|
Performs some HTTP requests
- Request:
- GET http://sinastorage.com/question/data.txt
- Request:
- GET http://www.baidu.com/
- Request:
- GET http://sinacloud.net/question/jdgg.txt
- Request:
- GET http://sinacloud.net/question/jdhh.txt
- Request:
- GET http://sinacloud.net/question/xinjdtc.txt
- Request:
- GET http://sinacloud.net/question/xinjdmfnx.txt
- Request:
- GET http://www.iqiyi.com/
- Request:
- GET http://www.so.com/
- Request:
- GET http://sinastorage.com/question/2020-09-23/00_17
- Request:
- GET http://sinastorage.com/question/xinjdtc.txt
- Request:
- GET http://www.qq.com/
- Request:
- GET http://sinastorage.com/question/xinjdmfnx.txt
- Request:
- GET http://sinastorage.com/question/jdgg.txt
- Request:
- GET http://sinastorage.com/question/jdhh.txt
- Request:
- GET http://sinastorage.cn/question/2020-09-23/00_17
- Request:
- GET http://www.sina.com.cn/
- Request:
- GET http://sinacloud.net/question/data.txt
- Request:
- GET http://119.29.29.29/d?dn=sinacloud.net
- Request:
- GET http://114.114.114.114/d?dn=sinastorage.com
- Request:
- GET http://119.29.29.29/d?dn=sinastorage.com
- Request:
- GET http://182.254.116.116/d?dn=sinacloud.net
- Request:
- GET http://114.114.114.114/d?dn=sinacloud.net
- Request:
- GET http://sinastorage.cn/question/2020-09-23/00_18
- Request:
- GET http://182.254.116.116/d?dn=sinastorage.com
- Request:
- GET http://sinastorage.cn/question/xinjdmfnx.txt
- Request:
- GET http://sinastorage.cn/question/xinjdtc.txt
- Request:
- GET http://sinastorage.cn/question/jdhh.txt
- Request:
- GET http://sinastorage.cn/question/jdgg.txt
- Request:
- GET http://sinastorage.cn/question/data.txt
- Request:
- GET http://119.29.29.29/d?dn=sinastorage.cn
- Request:
- GET http://182.254.116.116/d?dn=sinastorage.cn
- Request:
- GET http://sinacloud.net/question/2020-09-23/00_17
- Request:
- GET http://114.114.114.114/d?dn=sinastorage.cn
- Request:
- GET http://sinastorage.com/question/2020-09-23/00_19
- Request:
- GET http://sinacloud.net/question/2020-09-23/00_18
- Request:
- GET http://jiandan.yaotongji.com:8080/
- Request:
- GET http://jdnx.oss-cn-zhangjiakou.aliyuncs.com/index.html
- Request:
- GET http://sinastorage.cn/question/pl30395
- Request:
- GET http://jdnx.oss-cn-zhangjiakou.aliyuncs.com/no.png
- Request:
- GET http://sinastorage.com/question/pl30395
- Request:
- GET http://sinastorage.cn/question/dpkf41099
- Request:
- GET http://sinacloud.net/question/dpkf41099
HTTP traffic contains suspicious features which may be indicative of malware related traffic
- Ip Hostname:
- HTTP connection was made to an IP address rather than domain name
- Suspicious Request:
- http://182.254.116.116/d?dn=sinacloud.net
- Suspicious Request:
- http://sinastorage.cn/question/2020-09-23/00_18
- Suspicious Request:
- http://www.sina.com.cn/
- Suspicious Request:
- http://www.qq.com/
- Suspicious Request:
- http://sinastorage.cn/question/pl30395
- Suspicious Request:
- http://sinastorage.com/question/2020-09-23/00_19
- Suspicious Request:
- http://119.29.29.29/d?dn=sinastorage.com
- Suspicious Request:
- http://sinastorage.cn/question/dpkf41099
- Suspicious Request:
- http://sinastorage.com/question/xinjdmfnx.txt
- Suspicious Request:
- http://sinastorage.cn/question/xinjdtc.txt
- Suspicious Request:
- http://www.iqiyi.com/
- Suspicious Request:
- http://sinastorage.cn/question/2020-09-23/00_17
- Suspicious Request:
- http://sinastorage.com/question/2020-09-23/00_17
- Suspicious Request:
- http://sinacloud.net/question/xinjdmfnx.txt
- Suspicious Request:
- http://119.29.29.29/d?dn=sinacloud.net
- Suspicious Request:
- http://182.254.116.116/d?dn=sinastorage.cn
- Suspicious Request:
- http://sinastorage.cn/question/jdhh.txt
- Suspicious Request:
- http://sinacloud.net/question/jdgg.txt
- Suspicious Request:
- http://sinastorage.com/question/xinjdtc.txt
- Suspicious Request:
- http://sinacloud.net/question/jdhh.txt
- Suspicious Request:
- http://sinastorage.cn/question/jdgg.txt
- Suspicious Request:
- http://sinastorage.com/question/pl30395
- Suspicious Request:
- http://114.114.114.114/d?dn=sinastorage.cn
- Suspicious Request:
- http://jdnx.oss-cn-zhangjiakou.aliyuncs.com/index.html
- Suspicious Request:
- http://sinacloud.net/question/dpkf41099
- Suspicious Request:
- http://182.254.116.116/d?dn=sinastorage.com
- Suspicious Request:
- http://sinastorage.com/question/jdhh.txt
- Suspicious Request:
- http://sinacloud.net/question/2020-09-23/00_18
- Suspicious Request:
- http://www.so.com/
- Suspicious Request:
- http://jdnx.oss-cn-zhangjiakou.aliyuncs.com/no.png
- Suspicious Request:
- http://119.29.29.29/d?dn=sinastorage.cn
- Suspicious Request:
- http://sinastorage.com/question/jdgg.txt
- Suspicious Request:
- http://sinacloud.net/question/2020-09-23/00_17
- Suspicious Request:
- http://sinacloud.net/question/xinjdtc.txt
- Suspicious Request:
- http://114.114.114.114/d?dn=sinastorage.com
- Suspicious Request:
- http://sinastorage.cn/question/data.txt
- Suspicious Request:
- http://www.baidu.com/
- Suspicious Request:
- http://jiandan.yaotongji.com:8080/
- Suspicious Request:
- http://114.114.114.114/d?dn=sinacloud.net
- Suspicious Request:
- http://sinastorage.cn/question/xinjdmfnx.txt
- Suspicious Request:
- http://sinacloud.net/question/data.txt
- Suspicious Request:
- http://sinastorage.com/question/data.txt
Executed a process and injected code into it, probably while unpacking
PID |
API |
Arguments |
2748 |
NtResumeThread |
- thread_handle:
- 0x00000200
- suspend_count:
- 1
- process_identifier:
- 2576
|
2748 |
CreateProcessInternalW |
- thread_identifier:
- 2700
- thread_handle:
- 0x0000027c
- process_identifier:
- 2696
- current_directory:
- filepath:
- track:
- 1
- command_line:
- C:\Program Files (x86)\Mozilla Firefox\FD5FC1C6983.exe WfCSiyl7KCmShHcoKisvgpKPHh5aLyovkmJ9eS+Ckop7gx6SeXh43t7k5urk5enme+XfeuTe5eXf6nl56XovL9/k6uXrdN7qeeZ75ejr3ujrL+d4L+t5eHjr6OXm6y945+vneTx7JntO
- filepath_r:
- stack_pivoted:
- 0
- creation_flags:
- 4
- inherit_handles:
- 0
- process_handle:
- 0x000002c8
|
2748 |
NtUnmapViewOfSection |
- base_address:
- 0x00400000
- region_size:
- 4096
- process_identifier:
- 2696
- process_handle:
- 0x000002c8
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2696
- region_size:
- 31264768
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x00400000
- allocation_type:
- 12288
- process_handle:
- 0x000002c8
|
2748 |
WriteProcessMemory |
- buffer:
- base_address:
- 0x00400000
- process_identifier:
- 2696
- process_handle:
- 0x000002c8
|
2748 |
WriteProcessMemory |
- buffer:
- base_address:
- 0x01257000
- process_identifier:
- 2696
- process_handle:
- 0x000002c8
|
2748 |
WriteProcessMemory |
- buffer:
- base_address:
- 0x021b8000
- process_identifier:
- 2696
- process_handle:
- 0x000002c8
|
2748 |
WriteProcessMemory |
- buffer:
- base_address:
- 0x021b9000
- process_identifier:
- 2696
- process_handle:
- 0x000002c8
|
2748 |
NtGetContextThread |
- thread_handle:
- 0x0000027c
|
2748 |
NtSetContextThread |
- registers:
- {u'eip': 0, u'esp': 0, u'edi': 0, u'eax': 19276885, u'ebp': 0, u'edx': 0, u'ebx': 2130567168, u'esi': 0, u'ecx': 0}
- thread_handle:
- 0x0000027c
- process_identifier:
- 2696
|
2748 |
NtResumeThread |
- thread_handle:
- 0x0000027c
- suspend_count:
- 1
- process_identifier:
- 2696
|
Sample contacts servers at uncommon ports
- Connection:
- 47.75.31.117:8080
- Registration:
- Registration of port 8080 reported as Unregistered
Performs some DNS requests
- Dns :
- Request: sinacloud.net IP: 183.60.187.57
- Dns :
- Request: www.sohu.com IP: 104.254.66.16
- Dns :
- Request: www.sina.com.cn IP: 47.246.22.232
- Dns :
- Request: www.sogou.com IP: 119.28.109.132
- Dns :
- Request: sinastorage.cn IP: 49.7.37.28
- Dns :
- Request: www.baidu.com IP: 104.193.88.123
- Dns :
- Request: www.iqiyi.com IP: 104.112.19.114
- Dns :
- Request: www.qq.com IP: 23.43.168.241
- Dns :
- Request: jdnx.oss-cn-zhangjiakou.aliyuncs.com IP: 47.92.17.207
- Dns :
- Request: www.so.com IP: 104.192.110.226
- Dns :
- Request: sinastorage.com IP: 121.14.32.187
- Dns :
- Request: jiandan.yaotongji.com IP: 47.75.31.117
Attempts to connect to dead IP:Port(s)
Network activity contains more than one unique useragent.
Unconventionial language used in binary resources
- Language:
- Chinese (Simplified)
The executable has PE anomalies (could be a false positive)
- Section:
- .data30
- Section:
- .data31
Allocates read-write-execute memory (usually to unpack itself)
PID |
API |
Arguments |
2748 |
NtProtectVirtualMemory |
- process_identifier:
- 2576
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- length:
- 512000
- protection:
- 64
- base_address:
- 0x00401000
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 1
- protection:
- 64
- base_address:
- 0x7e000000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x7d8a0000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x7d8b0000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x7d8c0000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x7d8d0000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x7d8e0000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x7d8f0000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2576
- region_size:
- 4096
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 1
- protection:
- 64
- base_address:
- 0x7d900000
- allocation_type:
- 12288
- process_handle:
- 0xffffffff
|
2748 |
NtAllocateVirtualMemory |
- process_identifier:
- 2696
- region_size:
- 31264768
- stack_dep_bypass:
- 0
- stack_pivoted:
- 0
- heap_dep_bypass:
- 0
- protection:
- 64
- base_address:
- 0x00400000
- allocation_type:
- 12288
- process_handle:
- 0x000002c8
|
The binary likely contains encrypted or compressed data.
- Section:
- .data31, at virtual address 0x00e57000
- Entropy:
- 7.81512336703
- Description:
- A section with a high entropy has been found
- Entropy:
- 0.994128417198
- Description:
- Overall entropy of this PE file is high
Contains obfuscated control-flow to defeat static analysis.
Queries for the computername
PID |
API |
Arguments |
2748 |
GetComputerNameW |
- computer_name:
- VIRTUAL-PC
|
This sample contains high entropy sections
- Section:
- .data31, at virtual address 0x00e57000
- Entropy:
- 7.81512336703
Strings possibly contain hardcoded URLs
- Possible Url:
- http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- Possible Url:
- http://www.w3.org/1999/xhtml">
Contains sections of zero entropy
- Section:
- .text, at virtual address 0x00001000
- Section:
- .rdata, at virtual address 0x0007e000
- Section:
- .data, at virtual address 0x0009b000
- Section:
- .data30, at virtual address 0x000a5000
Deletes its original binary from disk
- File:
- C:\Program Files (x86)\Mozilla Firefox\FD5FC1C6983.exe
Creates a hidden or system file
- File:
- C:\Users\Virtual\AppData\Local\Temp\B8210EC\BA03C5