VTI Score 91 / 100 | |
VTI Database Version | 2.2 |
VTI Rule Match Count | 21 |
VTI Rule Type | Default (PE, ...) |
Anti Analysis | Illegitimate API usage | ||
Internal API "CreateProcessInternalA" was used to start ""C:\program files\internet explorer\IEXPLORE.EXE"". | |||
Anti Analysis | Try to detect forensic tool | ||
Search for the window class "FilemonClass" that is related to a forensic tool. | |||
Search for the window "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. | |||
Search for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool. | |||
Search for the window class "RegmonClass" that is related to a forensic tool. | |||
Search for the window "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. | |||
Search for the window class "18467-41" that is related to a forensic tool. | |||
Anti Analysis | Try to detect debugger | ||
Check via API "NtQueryInformationProcess". | |||
Find window class "OLLYDBG". | |||
Find window class "GBDYLLO". | |||
Find window class "pediy06". | |||
Check via API "CheckRemoteDebuggerPresent". | |||
Anti Analysis | Try to detect virtual machine | ||
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". | |||
Possibly trying to detect VM via rdtsc. | |||
Injection | Modify control flow of an other process | ||
"c:\users\dssdpmx042\desktop\explorer pro.exe" alters context of "c:\program files\internet explorer\iexplore.exe" | |||
Process | Allocate a page with write and execute permissions | ||
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Change the protection of a page from writable ("PAGE_WRITECOPY") to executable ("PAGE_EXECUTE_READWRITE"). | |||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Process | Create process with hidden window | ||
The process ""C:\program files\internet explorer\IEXPLORE.EXE"" starts with hidden window. | |||
PE | PE file is packed | ||
File "Explorer Pro.exe" is packed with "Themida/WinLicense V1.8.0.2 + -> Oreans Technologies". | |||
Process | Obfuscate control flow | ||
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). |