Expresses interest in specific running processes Show sources
| api_process_name | System |
Anomalous binary characteristics Show sources
| static_pe_section_name | Unprintable characters found in section name |
| static_pe_anomaly | Actual checksum does not match that reported in PE header |
Detects VirtualBox through the presence of a registry key Show sources
| registry_query | HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Checks the version of Bios, possibly for anti-virtualization Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion |
Detects the presence of Wine emulator via registry key Show sources
| registry_query | HKEY_CURRENT_USER\Software\Wine |
Network activity detected but not expressed in API logs
Checks for the presence of known devices from debuggers and forensic tools Show sources
| registry_query | \??\SICE |
Checks for the presence of known windows from debuggers and forensic tools Show sources
| api_call_window_name | OLLYDBG |
| api_call_window_name | GBDYLLO |
| api_call_window_name | pediy06 |
| api_call_window_name | FilemonClass |
| api_call_window_name | File Monitor - Sysinternals: www.sysinternals.com |
| api_call_window_name | PROCMON_WINDOW_CLASS |
| api_call_window_name | Process Monitor - Sysinternals: www.sysinternals.com |
| api_call_window_name | RegmonClass |
| api_call_window_name | Registry Monitor - Sysinternals: www.sysinternals.com |
| api_call_window_name | 18467-41 |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
The following process appear to have been packed with Themida: 9c1db682706e84bc5c62eb94ba286d040d21bd16.exe