VMRay Analyzer Report
VTI Score 91 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 21 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | Illegitimate API usage | |
Internal API "CreateProcessInternalA" was used to start ""C:\program files\internet explorer\IEXPLORE.EXE"". | |||
| Anti Analysis | Try to detect forensic tool | |
Search for the window class "FilemonClass" that is related to a forensic tool. | |||
Search for the window "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. | |||
Search for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool. | |||
Search for the window class "RegmonClass" that is related to a forensic tool. | |||
Search for the window "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. | |||
Search for the window class "18467-41" that is related to a forensic tool. | |||
| Anti Analysis | Try to detect debugger | |
Check via API "NtQueryInformationProcess". | |||
Find window class "OLLYDBG". | |||
Find window class "GBDYLLO". | |||
Find window class "pediy06". | |||
Check via API "CheckRemoteDebuggerPresent". | |||
| Anti Analysis | Try to detect virtual machine | |
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". | |||
Possibly trying to detect VM via rdtsc. | |||
| Injection | Modify control flow of an other process | |
"c:\users\dssdpmx042\desktop\explorer pro.exe" alters context of "c:\program files\internet explorer\iexplore.exe" | |||
| Process | Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Change the protection of a page from writable ("PAGE_WRITECOPY") to executable ("PAGE_EXECUTE_READWRITE"). | |||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
| Process | Create process with hidden window | |
The process ""C:\program files\internet explorer\IEXPLORE.EXE"" starts with hidden window. | |||
| PE | PE file is packed | |
File "Explorer Pro.exe" is packed with "Themida/WinLicense V1.8.0.2 + -> Oreans Technologies". | |||
| Process | Obfuscate control flow | |
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). | |||
