Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Detects file using ACProtect software.

Detects executables packed with ASPack v2.12-2.42

BIOS information is often read in order to detect sandboxing environments.

Suspicious access to Credentials History.

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Tries to access configuration files associated with programs like FileZilla.

Infostealers often target stored browser data, which can include saved credentials etc.

Steal credentials from unsecured files.

Detects executables packed with VMProtect commercial packer.

Looks up Uninstall key entries in the registry to enumerate software on the system.

Attempts to read the root path of hard drives other than the default C: drive.

Uses a legitimate IP lookup service to find the infected system's external IP.

Attempt to gather information on host's network.

Attempt to gather information on host network.

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

AutoIT scripts compiled to PE executables.

Detects executables packed with UPX/modified UPX open source packer.