Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
Found suspicious ZIP file
Machine Learning detection for sample
PE file has a writeable .text section
Checks for available system drives (often done to infect USB drives)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sigma detected: Common Autorun Keys Modification
Sigma detected: Internet Explorer Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)