Yara detected AntiVM3
Yara detected GuLoader
Found driver which could be used to inject code into processes
May modify the system service descriptor table (often done to hook functions)
Writes many files with high entropy
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Yara detected Keylogger Generic
Creates or modifies windows services
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)