Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 16, 2021, 12:49 p.m.	Oct. 16, 2021, 12:52 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a0747b376c17728fe2731e9e98d1b017`
SHA256	`870130235c0034bb2649c4268bfc3ff87de0fe2cf13d0af41ce0c0f397e5ea50`
CRC32	`2ACE8A5F`
ssdeep	`24576:rAOcZEhGZJLnKjCT+8RrtqrpUu8sR0coTvAiHca6TPY5I7nT1RMwa+NI:tMZU/SrtqrpccOv/HP6c5IzTXM7+NI`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr "C:\Users\test22\AppData\Local\Temp\ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr"
1660
- bmxbniuglo.pif "C:\45235440\bmxbniuglo.pif" jifvhstup.tcl
  972
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    2428
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    2404
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    2900
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    2596
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    1104
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    2524
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe"
    2220

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2021, 12:49 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 12:49 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2021, 12:49 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 16, 2021, 12:50 p.m.	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77b0e003 GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x75673e88 bmxbniuglo+0x10ccd @ 0x1030ccd bmxbniuglo+0x7536e @ 0x109536e bmxbniuglo+0x7557a @ 0x109557a bmxbniuglo+0x3fa6 @ 0x1023fa6 bmxbniuglo+0x8f8d @ 0x1028f8d bmxbniuglo+0x96f5 @ 0x10296f5 bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xd87e @ 0x102d87e bmxbniuglo+0xd967 @ 0x102d967 bmxbniuglo+0x1648e @ 0x103648e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb exception.instruction: mov dword ptr [eax], esi exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189435 exception.address: 0x77b0e3fb registers.esp: 7529760 registers.edi: 2133524480 registers.eax: 3735928559 registers.ebp: 7529812 registers.edx: 57005 registers.ebx: 2133540592 registers.esi: 47749304 registers.ecx: 3735928569	1	0	0
__exception__ Oct. 16, 2021, 12:50 p.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x77baf559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x77baf639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x77b5df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x76a414dd bmxbniuglo+0x13684 @ 0x1033684 bmxbniuglo+0x43723 @ 0x1063723 bmxbniuglo+0x4b35d @ 0x106b35d bmxbniuglo+0x28371 @ 0x1048371 bmxbniuglo+0xb66f @ 0x102b66f bmxbniuglo+0xb66f @ 0x102b66f bmxbniuglo+0xa61e @ 0x102a61e bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xa2f7 @ 0x102a2f7 bmxbniuglo+0x962c @ 0x102962c bmxbniuglo+0xd87e @ 0x102d87e bmxbniuglo+0xd967 @ 0x102d967 bmxbniuglo+0x1648e @ 0x103648e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x77bae667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x77bae653 registers.esp: 7530988 registers.edi: 16365640 registers.eax: 7531004 registers.ebp: 7531108 registers.edx: 0 registers.ebx: 0 registers.esi: 42074112 registers.ecx: 2147483647	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 16, 2021, 12:50 p.m.

stacktrace:

RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77b0e003
GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x75673e88
bmxbniuglo+0x10ccd @ 0x1030ccd
bmxbniuglo+0x7536e @ 0x109536e
bmxbniuglo+0x7557a @ 0x109557a
bmxbniuglo+0x3fa6 @ 0x1023fa6
bmxbniuglo+0x8f8d @ 0x1028f8d
bmxbniuglo+0x96f5 @ 0x10296f5
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xd87e @ 0x102d87e
bmxbniuglo+0xd967 @ 0x102d967
bmxbniuglo+0x1648e @ 0x103648e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b
exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb
exception.instruction: mov dword ptr [eax], esi
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189435
exception.address: 0x77b0e3fb
registers.esp: 7529760
registers.edi: 2133524480
registers.eax: 3735928559
registers.ebp: 7529812
registers.edx: 57005
registers.ebx: 2133540592
registers.esi: 47749304
registers.ecx: 3735928569

__exception__

Oct. 16, 2021, 12:50 p.m.

stacktrace:

RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x77baf559
RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x77baf639
RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x77b5df95
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x76a414dd
bmxbniuglo+0x13684 @ 0x1033684
bmxbniuglo+0x43723 @ 0x1063723
bmxbniuglo+0x4b35d @ 0x106b35d
bmxbniuglo+0x28371 @ 0x1048371
bmxbniuglo+0xb66f @ 0x102b66f
bmxbniuglo+0xb66f @ 0x102b66f
bmxbniuglo+0xa61e @ 0x102a61e
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xa2f7 @ 0x102a2f7
bmxbniuglo+0x962c @ 0x102962c
bmxbniuglo+0xd87e @ 0x102d87e
bmxbniuglo+0xd967 @ 0x102d967
bmxbniuglo+0x1648e @ 0x103648e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff
exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653
exception.instruction: jmp 0x77bae667
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 845395
exception.address: 0x77bae653
registers.esp: 7530988
registers.edi: 16365640
registers.eax: 7531004
registers.ebp: 7531108
registers.edx: 0
registers.ebx: 0
registers.esi: 42074112
registers.ecx: 2147483647

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2021, 12:49 p.m.	process_identifier: 1660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:49 p.m.	process_identifier: 972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:49 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:50 p.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:50 p.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:50 p.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:50 p.m.	process_identifier: 1104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:50 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 12:50 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (3 events)

file	C:\45235440\iuoxfcmjun.docx
file	C:\45235440\rkkqop.pdf
file	C:\45235440\tkxslowu.ppt

Creates executable files on the filesystem (6 events)

file	C:\45235440\nbrer.dll
file	C:\45235440\cduwe.exe
file	C:\45235440\cqsxpvbp.exe
file	C:\45235440\khgn.cpl
file	C:\45235440\bmxbniuglo.pif
file	C:\45235440\qmquqpi.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\SysWOW64\mshta.exe"
cmdline	C:\Windows\SysWOW64\mshta.exe

Drops a binary and executes it (1 event)

file	C:\45235440\bmxbniuglo.pif

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (34 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: smss.exe process_identifier: 228	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: csrss.exe process_identifier: 368	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: winlogon.exe process_identifier: 412	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: services.exe process_identifier: 448	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: lsm.exe process_identifier: 472	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 660	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 736	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 820	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 852	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: audiodg.exe process_identifier: 912	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 1004	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 1072	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: taskhost.exe process_identifier: 1140	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: dwm.exe process_identifier: 1204	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: IMEDICTUPDATE.EXE process_identifier: 1476	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 1844	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 1996	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: SearchIndexer.exe process_identifier: 748	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: taskeng.exe process_identifier: 2932	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: WmiPrvSE.exe process_identifier: 2160	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: svchost.exe process_identifier: 2196	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 888	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: sppsvc.exe process_identifier: 2960	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: taskhost.exe process_identifier: 2488	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: SearchProtocolHost.exe process_identifier: 2472	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: SearchFilterHost.exe process_identifier: 180	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: bmxbniuglo.pif process_identifier: 972	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: cmd.exe process_identifier: 2828	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: conhost.exe process_identifier: 2956	1	1
Process32NextW Oct. 16, 2021, 12:50 p.m.	snapshot_handle: 0x000001f4 process_name: pw.exe process_identifier: 1080	1	1

Yara rule detected in process memory (50 out of 56 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 05cc4cb736dcfd51ad8dbc245a95007b5cef2e85

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

reg_value

c:\45235440\BMXBNI~1.PIF c:\45235440\JIFVHS~1.TCL

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 972 resumed a thread in remote process 2428
Process injection	Process 972 resumed a thread in remote process 2404
Process injection	Process 972 resumed a thread in remote process 2900
Process injection	Process 972 resumed a thread in remote process 2596
Process injection	Process 972 resumed a thread in remote process 1104
Process injection	Process 972 resumed a thread in remote process 2524
Process injection	Process 972 resumed a thread in remote process 2220
NtResumeThread Oct. 16, 2021, 12:49 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2428	1	0	0
NtResumeThread Oct. 16, 2021, 12:50 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2404	1	0	0
NtResumeThread Oct. 16, 2021, 12:50 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2900	1	0	0
NtResumeThread Oct. 16, 2021, 12:50 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2596	1	0	0
NtResumeThread Oct. 16, 2021, 12:50 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 1104	1	0	0
NtResumeThread Oct. 16, 2021, 12:50 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2524	1	0	0
NtResumeThread Oct. 16, 2021, 12:50 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2220	1	0	0

ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All